Building for the Splunk Platform

Filtering Events into nullqueue

JPrictoe
Loves-to-Learn

Real novice here. I am ingesting a sourcetype into Splunk, and want to filter out any events with the word "FAILED" right after the first IP address.`

Below is my props in etc\apps\search\local

[sslbcoat1]
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
TRANSFORMS-null = setnull

`
and then here's my transforms where I THOUGHT I was carving out failures and sending them to null:

[geo_us_states]
external_type = geo
filename = geo_us_states.kmz

[geo_countries]
external_type = geo
filename = geo_countries.kmz

[geo_attr_us_states]
filename = geo_attr_us_states.csv

[geo_attr_countries]
filename = geo_attr_countries.csv

[setnull]
REGEX = ^.+(F...).+$
DEST_KEY = queue
FORMAT = nullQueue

The regex might be wrong, but somehow I don't think that's the problem. Thanks and any insight would be appreciated.

Sample event:

014-04-17 13:50:22 2 10.3.31.70 FAILED - - - - 199.83.168.160 - - - none - - - - none - - 163.252.254.201 SG-SSL-Proxy-Service - 58642

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Your regex looks really off - copy&paste error? If not, all it does is look for the capital F followed by some characters.
This should be better: \s\d+\.\d+\.\d+\.\d+\s+FAILED
Note, this doesn't actually match only IPv4 addresses, but it should be correct enough. Additionally, it doesn't check if it's the first IP that's being followed by FAILED - address that if you expect events that contain FAILED after a later IP that you want to keep, for example by only looking N words deep into the event from the beginning, as these look like syslog-ish headers.

There is an app for Bluecoat ProxySG on Splunkbase, that might help you a lot with field extraction and stuff.

Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...