Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Filtering CISCO events on Forwarder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a CISCO monitor file log on a lightweight forwarder. We want to blacklist specific events, like teardowns and builds. Is this down in the props.conf stanza or can I use a transform.conf and send those to nullque or does this go into the inputs.conf file?
Not sure where to do this.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See the syntax in props.conf it should be
TRANSFORMS-null=cisco-setnull,cisco-extractions
Also in transforms.conf cisco-setnull regex remove .* only write the regex for the keyword present in an event. Also I am not sure if you have written correct regex. So give me sample event and tell me the keyword and i will write a regex for you!!
Let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey try this
Discard specific events and keep the rest
This example discards all teardowns and builds events in /var/log/messages by sending them to nullQueue:
1) In props.conf, set the TRANSFORMS-null attribute:
[source::/var/log/messages]
TRANSFORMS-null= setnull,setnull1
2) Create a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":
[setnull]
REGEX = teardowns
DEST_KEY = queue
FORMAT = nullQueue
[setnull1]
REGEX = builds
DEST_KEY = queue
FORMAT = nullQueue
3) Restart Splunk Enterprise.
Have a look at this doc for more info:
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Discard_specif...
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is what I tried and it didn't work:
Input.conf:
[monitor:///trvapps/logs/cisco]
sourcetype = cisco:asa
index = network
disabled = 0
Props.conf:
[source::/trvapps/logs/cisco]
EXTRACT-serial_number = Certificate was successfully validated. serial number:\s+([0-9A-Z]+).*
EXTRACT-user = Certificate was successfully validated. serial number:.\s[0-9A-Z]+\,\ssubject\sname:\s+cn=([A-Z0-9a-z]+)\,.
TRANSFORMS = cisco-setnull
TRANSFORMS = cisco-extractions
transform.conf:
[cisco-setnull]
REGEX =[A-Za-z]+\s\d+:\d+:\d+:\s[a-zA-Z]+\s %ASA-\d-302013:.*
DEST_KEY=queue
FORMAT = nullQueue
[cisco-extractions]
REGEX = %ASA-7
DEST_KEY = queue
FORMAT = nullQueue
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
