topic Using regex, how to exclude any events in the host field and keep the rest? in Splunk Search

Using regex, how to exclude any events in the host field and keep the rest?

some_guy — Thu, 14 Jun 2018 17:29:05 GMT

One big syslog file I need to index (monitor) daily. Many hosts log to this syslog file.

I want to exclude any events that contain 'server1' in the host field, and keep the rest.

On the receiving indexer, the following is in /opt/splunk/etc/system/local

props.conf:

[source::/syslog/Security/*.log]
TRANSFORMS-set = setnull, setparsing

transforms.conf:

[setnull]
REGEX = server1
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

Where might I have gone wrong? This does not seem to work.

Re: Using regex, how to exclude any events in the host field and keep the rest?

lacastillo — Thu, 14 Jun 2018 18:44:44 GMT

Make sure to set your SOURCE_KEY = MetaData:Host under the [setnull] stanza in transforms.conf. That will get rid of the unwanted events, you shouldn't need the second stanza as the rest of the events that don't contain "server1" in the host field should get ingested per the rest of the parameters set in props.conf.

let me know if that helps.

Re: Using regex, how to exclude any events in the host field and keep the rest?

some_guy — Thu, 14 Jun 2018 19:07:31 GMT

Alleluia, its finally working!!! The key is, as you said:

SOURCE_KEY = MetaData:Host

THANKS!

Re: Using regex, how to exclude any events in the host field and keep the rest?

lacastillo — Thu, 14 Jun 2018 19:09:23 GMT

You're very welcome!