Can you help me filter events that are coming from...

splunksplunk232 · ‎02-05-2019

Hi all,

I am trying to filter events that are coming from several Splunk universal forwarders.

I have set a Splunk server that gets all the logs from the universal forwarders, filters them, and then sends them to the Splunk index server.

I have read https://docs.splunk.com/Documentation/Splunk/7.1.3/Forwarding/Routeandfilterdatad

I want to keep only the events that continue the words error or fetch and discard the rest.

So, I created props.conf, transforms.conf and outputs.conf in the path $SPLUNK_HOME/etc/system/local.

props.conf

[app_logs]
TRANSFORMS-set=appjunk, appfetch

transforms.conf

[appjunk]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[appfetch]
REGEX = fetch error
DEST_KEY = _TCP_ROUTING
FORMAT = mainindx

outputs.conf

[tcpout:mainindx]
server=10.158.0.6:9997

I have configured the Splunk index server to receive info in port 9997, and also, the Splunk heavy forwarder can receive info in this port.
I have tried to configure the Splunk heavy forwarder in this way, and it won't work, and I tried also to change the order of the TRANSFORMS-set command and transforms.conf and it still won't work.

Thank you in advance

chrisyounger · ‎02-05-2019

The regex used in [appfetch] should instead be fetch|error

splunksplunk232 · ‎02-06-2019

It still not working, I also tried to set the regex to

 REGEX = fetch

And it was not working.

Can you help me filter events that are coming from several universal forwarders?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...