Discarding Specific type of traffic either on forwarder or indexer fails

abwe — Thu, 03 Oct 2019 08:42:28 GMT

Discarding Specific type of traffic either on forwarder or indexer fails, I tried to discard it using blacklist on forwarder and nullqueue transform on indexer and both failed.

here is a log sample

Oct 3 11:34:03 1.1.1.1 CEF:0|FORCEPOINT|Firewall|6.5.1|70018|Connection_Allowed|0|app=SNMP (UDP) rt=Oct 03 2019 11:28:12 deviceFacility=Packet Filtering act=Allow deviceOutboundInterface=13 deviceInboundInterface=0 proto=17 dpt=161 spt=62032 dst=2.2.2.2 src=3.3.3.3 dvchost=4.4.4.4 dvc=4.4.4.4 deviceExternalId=company-name node 1 cs1Label=RuleID cs1=2097272.10

and the configuration

props.conf
[forcepoint]
Transform-Forcepoint=discardsnmp

transforms.conf
[discardsnmp]
REGEX = app=SNMP
DEST_KEY = queue
FORMAT = nullQueue

any one can find out what is the problem?

Re: Discarding Specific type of traffic either on forwarder or indexer fails

ivanreis — Tue, 15 Oct 2019 00:15:06 GMT

please try this one: https://regex101.com/r/wgNicw/1

transforms.conf
[discardsnmp]
REGEX = \b(\w[a-zA-Z].*\Dapp=SNMP.+)
DEST_KEY = queue
FORMAT = nullQueue

Re: Discarding Specific type of traffic either on forwarder or indexer fails

abwe — Sun, 20 Oct 2019 09:34:40 GMT

Thanks, it worked like charm

topic Re: Discarding Specific type of traffic either on forwarder or indexer fails in Splunk Enterprise Security

Discarding Specific type of traffic either on forwarder or indexer fails

Re: Discarding Specific type of traffic either on forwarder or indexer fails

Re: Discarding Specific type of traffic either on forwarder or indexer fails