topic SC4S: version 2 filter events not working in Splunk Search https://community.splunk.com/t5/Splunk-Search/SC4S-version-2-filter-events-not-working/m-p/602515#M209730 <P>Hi, I tried to filter events on version 2.30.0 based on v1.110.0 configuration, but it failed to dropped events in version 2. I also have read the document but somehow it still not working. maybe something that I miss out. kindly advise</P><P><STRONG>SC4S V1.110.0</STRONG></P><P>$ cat vendor_product_by_source.csv<BR />f_null_queue,sc4s_vendor_product,"null_queue"</P><P>$ cat vendor_product_by_source.conf<BR />filter f_null_queue {<BR />host(10.14.1.98)<BR />or host(10.14.1.99)<BR />or host("uk-test-intfw*" type(glob))<BR />};</P><P><EM>Result: Events from above host has been dropped and didn’t see it show in Splunk</EM></P><P><STRONG>SC4S v2.30.0</STRONG><BR />$ cat vendor_product_by_source.csv<BR />f_null_queue,sc4s_vendor_product,"null_queue"</P><P>$ cat vendor_product_by_source.conf<BR />filter f_null_queue {<BR />host(10.14.1.98)<BR />or host(10.14.1.99)<BR />or host("uk-test-intfw*" type(glob))<BR />};</P><P><EM>Result: With the same statement as V1, events still continues flow into Splunk without filter.</EM></P><P>I have follow the document and make changed as below</P><P>$ cat vendor_product_by_source.csv<BR />f_cisco_asa,sc4s_vendor_product,cisco_asa<BR />f_fortinet_fortios,sc4s_vendor_product,fortinet_fortios</P><P>$ cat vendor_product_by_source.conf<BR />filter f_cisco_asa {<BR />host(10.14.1.98)<BR />or host(10.14.1.99)<BR />};</P><P>filter f_fortinet_fortios {<BR />host(uk-test-intfw*" type(glob))<BR />};</P> Tue, 21 Jun 2022 05:18:37 GMT jomon_ng 2022-06-21T05:18:37Z SC4S: version 2 filter events not working https://community.splunk.com/t5/Splunk-Search/SC4S-version-2-filter-events-not-working/m-p/602515#M209730 <P>Hi, I tried to filter events on version 2.30.0 based on v1.110.0 configuration, but it failed to dropped events in version 2. I also have read the document but somehow it still not working. maybe something that I miss out. kindly advise</P><P><STRONG>SC4S V1.110.0</STRONG></P><P>$ cat vendor_product_by_source.csv<BR />f_null_queue,sc4s_vendor_product,"null_queue"</P><P>$ cat vendor_product_by_source.conf<BR />filter f_null_queue {<BR />host(10.14.1.98)<BR />or host(10.14.1.99)<BR />or host("uk-test-intfw*" type(glob))<BR />};</P><P><EM>Result: Events from above host has been dropped and didn’t see it show in Splunk</EM></P><P><STRONG>SC4S v2.30.0</STRONG><BR />$ cat vendor_product_by_source.csv<BR />f_null_queue,sc4s_vendor_product,"null_queue"</P><P>$ cat vendor_product_by_source.conf<BR />filter f_null_queue {<BR />host(10.14.1.98)<BR />or host(10.14.1.99)<BR />or host("uk-test-intfw*" type(glob))<BR />};</P><P><EM>Result: With the same statement as V1, events still continues flow into Splunk without filter.</EM></P><P>I have follow the document and make changed as below</P><P>$ cat vendor_product_by_source.csv<BR />f_cisco_asa,sc4s_vendor_product,cisco_asa<BR />f_fortinet_fortios,sc4s_vendor_product,fortinet_fortios</P><P>$ cat vendor_product_by_source.conf<BR />filter f_cisco_asa {<BR />host(10.14.1.98)<BR />or host(10.14.1.99)<BR />};</P><P>filter f_fortinet_fortios {<BR />host(uk-test-intfw*" type(glob))<BR />};</P> Tue, 21 Jun 2022 05:18:37 GMT https://community.splunk.com/t5/Splunk-Search/SC4S-version-2-filter-events-not-working/m-p/602515#M209730 jomon_ng 2022-06-21T05:18:37Z