topic Re: filtering off events based based on ip address in Getting Data In

filtering off events based based on ip address

remy06 — Thu, 17 Feb 2011 18:19:34 GMT

Hi,

I am trying to filter off ip address on our splunk server based on the source - C:\http server\logs\web-access.log

A sample of the event looks like this:
192.168.1.15 - - [17/Feb/2011:18:13:34 +0800] "GET /" 200 8146

And my configuration:
props.conf [source::C:\\http server\\logs\\web-access.log] TRANSFORMS-null = sendnull

transforms.conf [sendnull] REGEX = 192\.168\.1\.15 DEST_KEY = queue FORMAT = nullQueue

I still see events from 192.168.1.15 coming in.Any idea?

Re: filtering off events based based on ip address

IgorB — Thu, 17 Feb 2011 19:36:24 GMT

Stanza name in props.conf is incorrect: you've got to prepend it with "source::".

See props.conf spec for more info

[<spec>]
* This stanza enables properties for a given <spec>. 
* A props.conf file can contain multiple stanzas for any number of different <spec>.
* Follow this stanza name with any number of the following attribute/value pairs.
* If you do not set an attribute for a given <spec>, the default is used.

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host for an event.
3. source::<source>, where <source> is the source for an event.
[...]

Re: filtering off events based based on ip address

remy06 — Fri, 18 Feb 2011 10:54:53 GMT

The file path should be "C:\http server\logs\web-access.log". There's a space between "http" and "server". I've amended my post.

Re: filtering off events based based on ip address

remy06 — Fri, 18 Feb 2011 10:57:22 GMT

I've also tried to specify this in the stanza name in props.conf:
[source::C:\http server\logs\web-access.log]..but not working..Could it be due to the space between http and server?

Re: filtering off events based based on ip address

remy06 — Fri, 18 Feb 2011 11:47:38 GMT

also to mention,my splunk server is receiving events from the web server,where splunk is installed as a forwarder and configured to read apache log files locally before forwarding them.

Re: filtering off events based based on ip address

remy06 — Mon, 21 Feb 2011 15:57:47 GMT

any idea what's wrong with my config?

Re: filtering off events based based on ip address

IgorB — Fri, 22 Apr 2011 09:00:53 GMT

If the instance monitoring the log is not a light-weight forwarder, then all transforms should be done there. In such a case your config will have no effect on the indexer.