https://community.splunk.com/t5/Getting-Data-In/Splunk-DB-Connect-Why-are-my-props-and-transforms-configurations/m-p/128686#M97741 <P>Hello all ye gurus<BR /> We have Mcafee EPO data coming into splunk as follows<BR /> - DBX app installed which connects to the EPO data and pulls the information. <BR /> - the $Splunk_home$\etc\apps\dbx\local\inputs.conf has the source (dbmon_tail.......)<BR /> - the index, sourcetype=mcafee:epo are set here</P> <P>This all works well but i want to filter out a number of events that are extracted from the Mcafee EPO database. Specifically, events where the signature = "Anti-virus Standard Protection:Prevent user rights policies from being altered"</P> <P>so my strategy was to use props and transforms file to filter it out <BR /> so in the props file, I added</P> <PRE><CODE>[mcafee:epo] TRANSFORMS-filter_unwanted_events=filter_unwanted_events </CODE></PRE> <P>In the transforms file, I added</P> <PRE><CODE>[filter_unwanted_events] REGEX = (?m)\nsignature.+Protection DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>This is on a heavy forwarder, however, i am not able to get this to work.</P> <P>where i am going wrong? <BR /> -is the transforms not being applied on the right source/sourcetype?<BR /> -is the regex not correct?<BR /> -am i using the wrong props and transforms files?</P> <P>Any help would be greatly appreciated. <BR /> Thanks!</P> Mon, 28 Sep 2020 18:50:43 GMT jeffryjacob 2020-09-28T18:50:43Z https://community.splunk.com/t5/Getting-Data-In/Splunk-DB-Connect-Why-are-my-props-and-transforms-configurations/m-p/128686#M97741 <P>Hello all ye gurus<BR /> We have Mcafee EPO data coming into splunk as follows<BR /> - DBX app installed which connects to the EPO data and pulls the information. <BR /> - the $Splunk_home$\etc\apps\dbx\local\inputs.conf has the source (dbmon_tail.......)<BR /> - the index, sourcetype=mcafee:epo are set here</P> <P>This all works well but i want to filter out a number of events that are extracted from the Mcafee EPO database. Specifically, events where the signature = "Anti-virus Standard Protection:Prevent user rights policies from being altered"</P> <P>so my strategy was to use props and transforms file to filter it out <BR /> so in the props file, I added</P> <PRE><CODE>[mcafee:epo] TRANSFORMS-filter_unwanted_events=filter_unwanted_events </CODE></PRE> <P>In the transforms file, I added</P> <PRE><CODE>[filter_unwanted_events] REGEX = (?m)\nsignature.+Protection DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>This is on a heavy forwarder, however, i am not able to get this to work.</P> <P>where i am going wrong? <BR /> -is the transforms not being applied on the right source/sourcetype?<BR /> -is the regex not correct?<BR /> -am i using the wrong props and transforms files?</P> <P>Any help would be greatly appreciated. <BR /> Thanks!</P> Mon, 28 Sep 2020 18:50:43 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-DB-Connect-Why-are-my-props-and-transforms-configurations/m-p/128686#M97741 jeffryjacob 2020-09-28T18:50:43Z https://community.splunk.com/t5/Getting-Data-In/Splunk-DB-Connect-Why-are-my-props-and-transforms-configurations/m-p/128687#M97742 <P>Hi jeffryjacob,</P> <P>here are my answers:</P> <P><EM>is the transforms not being applied on the right source/sourcetype?</EM><BR /> run <CODE>$SPLUNK_HOME/bin/splunk cmd btool props mcafee:epo list</CODE> to verify this</P> <P><EM>is the regex not correct?</EM><BR /> Yes, it is not correct - try this <CODE>signature.+Protection</CODE></P> <P><EM>am i using the wrong props and transforms files?</EM><BR /> No, you're not </P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Fri, 06 Feb 2015 06:55:51 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-DB-Connect-Why-are-my-props-and-transforms-configurations/m-p/128687#M97742 MuS 2015-02-06T06:55:51Z