All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Remove syslog data in transforms.com

jotne
Builder
‎12-17-2021 04:16 AM

I have a Splunk Heavy Forwarder server that is a rsyslog server as well.

When Splunk sees the syslog data, it sets the source type, then the index name before its sent to indexing.

props.conf

 

[rsyslog]
TRANSFORMS-force_vmware = force_sourcetype_vmware, force_ix_vmware

 

 transforms.conf

 

force_sourcetype_vmware]
SOURCE_KEY = MetaData:Host
REGEX = ^host::(10\.30\.31\.\d+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::esxi


[force_ix_vmware]
SOURCE_KEY = MetaData:Sourcetype
REGEX = ^sourcetype::(?i)esxi$
DEST_KEY = _MetaData:Index
FORMAT = vmware

 

 

This works fine.

I now like to remove all lines (that are from vmware) that starts with:

 

<134>2021.....
<166>2021.....

 

 

To do so, I made a regex like this:

 

REGEX = ^<(134|166)>2021

 

 

I know that to remove some, I should use:

 

DEST_KEY = queue
FORMAT = nullQueue

 

 

But I do not get it to work.  How to make sure only remove correct data from vmware only?

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...