https://community.splunk.com/t5/Getting-Data-In/Event-filtering-on-Heavy-Forwarder/m-p/454218#M95022 <P>Tried and was unsuccessful ! <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> </P> Wed, 03 Jul 2019 02:39:37 GMT muhammadalavi19 2019-07-03T02:39:37Z https://community.splunk.com/t5/Getting-Data-In/Event-filtering-on-Heavy-Forwarder/m-p/454214#M95018 <P>Hi guys <BR /> I have a multi tier Splunk implementation as following : </P> <P>Syslog ----&gt; Heavy-Forwarder ----&gt; Indexer<BR /> Universal Forwarder ------&gt; Heavy-Forwarder ----&gt; Indexer</P> <P>Regarding that i need an event filtering on the HF . The event in question is Cisco ACS event and i want to ignore system statistics logs of mentioned product . So I've build the following configuration : </P> <P>props.conf <BR /> [udp://192.168.110.30:516]<BR /> TRANSFORMS-set = Cisco_ACS</P> <P>tranforms.conf<BR /> [Cisco_ACS]<BR /> REGEX = System-Stats<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>Following you can see an example of such log : <BR /> Jul 2 20:44:02 192.168.110.30 Jul 2 16:14:02 ACS CSCOacs_System_Statistics 0000028700 1 0 2019-07-02 16:14:02.670 +00:00 0000099874 70000 NOTICE System-Stats: ACS Utilization, ACSVersion=acs-5.8.1.4-B.462.x86_64, ConfigVersionId=5, SysStatsUtilizationCpu=5.48%, SysStatsUtilizationNetwork=eth0: rcvd = 10045\; sent = 1547, SysStatsUtilizationMemory=39.72%, SysStatsUtilizationDiskIO=0.74%, SysStatsUtilizationDiskSpace=21.19% /opt/CSCOacs/runtime, SysStatsUtilizationDiskSpace=24.82% /, SysStatsUtilizationDiskSpace=12.35% /boot, SysStatsUtilizationDiskSpace=8.29% /home, SysStatsUtilizationDiskSpace=7.44% /localdisk, SysStatsUtilizationDiskSpace=21.19% /opt, SysStatsUtilizationDiskSpace=6.84% /storedconfig, SysStatsUtilizationDiskSpace=7.97% /tmp, SysStatsUtilizationDiskSpace=16.39% /var, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0, </P> <P>So i need to filter any log containing "System-Stats" . but my configuration is not working . I guess there is a problem in my REGEX syntax . I need help seriously .</P> <P>Thanks in advance. </P> Wed, 30 Sep 2020 01:09:12 GMT https://community.splunk.com/t5/Getting-Data-In/Event-filtering-on-Heavy-Forwarder/m-p/454214#M95018 muhammadalavi19 2020-09-30T01:09:12Z https://community.splunk.com/t5/Getting-Data-In/Event-filtering-on-Heavy-Forwarder/m-p/454215#M95019 <P>tranforms.conf<BR /> [Cisco_ACS]<BR /> REGEX = System-Stats:</P> <P>Try this.<BR /> thanks.</P> Tue, 02 Jul 2019 18:20:03 GMT https://community.splunk.com/t5/Getting-Data-In/Event-filtering-on-Heavy-Forwarder/m-p/454215#M95019 sandeepmakkena 2019-07-02T18:20:03Z https://community.splunk.com/t5/Getting-Data-In/Event-filtering-on-Heavy-Forwarder/m-p/454216#M95020 <P>Is udp://192.168.110.30:516 the sourcetype for this data? That is what your props.conf indicates. If not, you may need to replace that with something else, such as one of the following:</P> <PRE><CODE>#Sourcetype: [cisco:acs] #Source: [source::udp://192.168.110.30:516] #Host: [host::192.168.110.30] </CODE></PRE> Tue, 02 Jul 2019 20:19:24 GMT https://community.splunk.com/t5/Getting-Data-In/Event-filtering-on-Heavy-Forwarder/m-p/454216#M95020 spayneort 2019-07-02T20:19:24Z https://community.splunk.com/t5/Getting-Data-In/Event-filtering-on-Heavy-Forwarder/m-p/454217#M95021 <P>Yes the source is what mentioned in props.conf and it's true. </P> Wed, 03 Jul 2019 02:37:30 GMT https://community.splunk.com/t5/Getting-Data-In/Event-filtering-on-Heavy-Forwarder/m-p/454217#M95021 muhammadalavi19 2019-07-03T02:37:30Z https://community.splunk.com/t5/Getting-Data-In/Event-filtering-on-Heavy-Forwarder/m-p/454218#M95022 <P>Tried and was unsuccessful ! <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> </P> Wed, 03 Jul 2019 02:39:37 GMT https://community.splunk.com/t5/Getting-Data-In/Event-filtering-on-Heavy-Forwarder/m-p/454218#M95022 muhammadalavi19 2019-07-03T02:39:37Z