https://community.splunk.com/t5/Getting-Data-In/Null-Filtering-Not-Working/m-p/529025#M89151 <P>Greetings all. I am having some trouble getting syslog data to filter with regards to nullQueue. Below are what my config files look like and some additional troubleshooting I've taken so far.</P><P>inputs.conf</P><P>[udp://5514]<BR />connection_host = ip<BR />index = org_index<BR />sourcetype = cisco:firepower:syslog</P><P>&nbsp;</P><P>props.conf</P><P>[source::udp:5514]<BR />TRANSFORMS-set= setnull,setparsing</P><P>&nbsp;</P><P>transforms.conf</P><P>[setnull]<BR />REGEX = .<BR />DEST_KEY = queue<BR />FORMAT = nullQueue</P><P>[setparsing]<BR />REGEX = \%FTD-\d-(430002|430003)<BR />DEST_KEY = queue<BR />FORMAT = indexQueue</P><P>&nbsp;</P><P>My environment flows Firepower syslog &gt; Heavy Fwd (on prem) &gt; Splunk Cloud and the above configs are on the Heavy Fwd.</P><P>In the syslog stream, there are "Correlation Event" logs I am trying to drop. Above I am trying to ingest only message ID's of 430002 and 430003 and drop everything else, however, Correlation Events are still coming in. I've also tried the alternative where I'm targeting Correlation Event in the regex in an effort to drop them, also unsuccessful. Below are some additional troubleshooting steps I've taken.</P><UL><LI>reformatting the source as [source::udp://5514] in props.conf</LI><LI>removed spaces before and after the equals signs for each attribute</LI><LI>removed the line "REGEX = ." in transforms.conf</LI><LI>tried the sourcetype in props.conf, so [cisco:firepower:syslog]</LI><LI>tried different regex matches, using regex101</LI><LI>restarting Heavy Fwd after each change</LI></UL><P>Here is the Splunk Doc I've been working with primarily:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest</A></P><P>Any help is greatly appreciated!</P> Wed, 11 Nov 2020 22:04:39 GMT iamDT03 2020-11-11T22:04:39Z https://community.splunk.com/t5/Getting-Data-In/Null-Filtering-Not-Working/m-p/529025#M89151 <P>Greetings all. I am having some trouble getting syslog data to filter with regards to nullQueue. Below are what my config files look like and some additional troubleshooting I've taken so far.</P><P>inputs.conf</P><P>[udp://5514]<BR />connection_host = ip<BR />index = org_index<BR />sourcetype = cisco:firepower:syslog</P><P>&nbsp;</P><P>props.conf</P><P>[source::udp:5514]<BR />TRANSFORMS-set= setnull,setparsing</P><P>&nbsp;</P><P>transforms.conf</P><P>[setnull]<BR />REGEX = .<BR />DEST_KEY = queue<BR />FORMAT = nullQueue</P><P>[setparsing]<BR />REGEX = \%FTD-\d-(430002|430003)<BR />DEST_KEY = queue<BR />FORMAT = indexQueue</P><P>&nbsp;</P><P>My environment flows Firepower syslog &gt; Heavy Fwd (on prem) &gt; Splunk Cloud and the above configs are on the Heavy Fwd.</P><P>In the syslog stream, there are "Correlation Event" logs I am trying to drop. Above I am trying to ingest only message ID's of 430002 and 430003 and drop everything else, however, Correlation Events are still coming in. I've also tried the alternative where I'm targeting Correlation Event in the regex in an effort to drop them, also unsuccessful. Below are some additional troubleshooting steps I've taken.</P><UL><LI>reformatting the source as [source::udp://5514] in props.conf</LI><LI>removed spaces before and after the equals signs for each attribute</LI><LI>removed the line "REGEX = ." in transforms.conf</LI><LI>tried the sourcetype in props.conf, so [cisco:firepower:syslog]</LI><LI>tried different regex matches, using regex101</LI><LI>restarting Heavy Fwd after each change</LI></UL><P>Here is the Splunk Doc I've been working with primarily:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest</A></P><P>Any help is greatly appreciated!</P> Wed, 11 Nov 2020 22:04:39 GMT https://community.splunk.com/t5/Getting-Data-In/Null-Filtering-Not-Working/m-p/529025#M89151 iamDT03 2020-11-11T22:04:39Z https://community.splunk.com/t5/Getting-Data-In/Null-Filtering-Not-Working/m-p/529069#M89159 <P>This issue has been resolved. The [setnull] transform stanza name was conflicting with another transform stanza from a separate add-on. Making the following changes to props.conf and transforms.conf remedied the problem.</P><LI-CODE lang="markup">#props.conf [source::udp:5514] TRANSFORMS-set= dropEvents,setparsing #transforms.conf [dropEvents] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = \%FTD-\d(430002|430003) DEST_KEY = queue FORMAT = indexQueue</LI-CODE> Thu, 12 Nov 2020 04:45:29 GMT https://community.splunk.com/t5/Getting-Data-In/Null-Filtering-Not-Working/m-p/529069#M89159 iamDT03 2020-11-12T04:45:29Z