I am trying to setup props & transforms in indexers to send PROCTITLE events to null queue
i tried below regex but that doesn't seem to work.
props.conf and transforms.conf location: /app/splunk/etc/apps/TA-linux_auditd/local/
props.conf
[linux_audit]
TRANSFORMS-set = discard_proctitle
[source::/var/log/audit/audit.log]
TRANSFORMS-set = discard_proctitle
transforms.conf
[discard_proctitle]
REGEX = ^type=PROCTITLE.*
DEST_KEY = queue
FORMAT = nullQueue
sample event-
type=PROCTITLE msg=audit(1750049138.587:1710xxxx): proctitle=737368643A206165705F667470757372205B70726xxxxx
type=PROCTITLE msg=audit(1750049130.891:1710xxxx): proctitle="(systemd)"
type=PROCTITLE msg=audit(1750049102.068:377xxxx): proctitle="/usr/lib/systemd/systemd-logind"
Could someone help me to fix this issue?
When I applied below confs in HF, PROCTITLE has been discarded successfully . Thanks for your help and suggestions.
props.conf
[linux_audit]
TRANSFORMS-set = discard_proctitle
[source::/var/log/audit/audit.log]
TRANSFORMS-set = discard_proctitle
transforms.conf
[discard_proctitle]
REGEX = ^type=PROCTITLE.*
DEST_KEY = queue
FORMAT = nullQueue
Hi @sawwinnaung ,
at first use backslash when you have = in your regexes, anyway, where do you located these conf files?
they must be located in the first full Splunk instance that data are passing through, in other words, in the first Heavy Forwarder (if present) or in the Indexers (if there are no HFs), not on Universal Forwarder.
Ciao.
Giuseppe
The props.conf and transforms.conf files are located on the indexer under the following path:
/app/splunk/etc/apps/TA-linux_auditd/local/
These configurations previously worked successfully. However, after upgrading the Splunk version and migrating the Linux environment, the configurations no longer seem to function as expected.
Thanks for your suggestions.
Hi @sawwinnaung ,
if you haven't any additional HF in your infrastructure, check the regex you're using (you can test it using the regex command in Splunk).
In this way you can check if there was some change in the logs structure.
Then try to use backslash to escape the = in your regex.
Ciao.
Giuseppe
When I applied below confs in HF, PROCTITLE has been discarded successfully . Thanks for your help and suggestions.
props.conf
[linux_audit]
TRANSFORMS-set = discard_proctitle
[source::/var/log/audit/audit.log]
TRANSFORMS-set = discard_proctitle
transforms.conf
[discard_proctitle]
REGEX = ^type=PROCTITLE.*
DEST_KEY = queue
FORMAT = nullQueue
Hi @sawwinnaung ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
Hi @sawwinnaung ,
good for you, see next time!
let us know if we can help you more, or, please, accept one answer for the other people of Community.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
Try below,
props.conf
[linux_audit]
TRANSFORMS-set = discard_proctitle
[source::/var/log/audit/audit.log]
TRANSFORMS-set = discard_proctitle
transforms.conf
[discard_proctitle]
REGEX = type=PROCTITLE
DEST_KEY = queue
FORMAT = nullQueue
Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a kudos/Karma. Thanks!
Thanks for your help. Even though I updated REGEX = type=PROCTITLE in transforms.conf located on the indexer, the filtering still isn’t working.