- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Can you help me with my data filtering query?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to filter the data sourcetype= WinEventLog:Microsoft-Windows-Sysmon/Operational , sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational and the source = E:\Eam\Siteminder\Log\smps.log. These are being sent by some one else to my Splunk instance and I don't want to receive any of the above data from any server. I wrote transforms.conf and props.conf in the heavy forwarder, but still, I am getting that data from all those...
*props.conf *
[WinEventLog:Microsoft-Windows-Sysmon/Operational]
TRANSFORMS-call = noncommon
[WinEventLog:Microsoft-Windows-System]
TRANSFORMS-call = common
[source::*smps.log]
TRANSFORMS-call = filter
transforms.conf :
[noncommon]
SOURCE_KEY = MetaData:Sourcetype
REGEX = Sysmon
DEST_KEY = queue
FORMAT = nullQueue
[common]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[filter]
SOURCE_KEY = MetaData:Source
REGEX = smps
DEST_KEY = queue
FORMAT = nullQueue
[accepted_keys]
is_valid=_SYSLOG_ROUTING
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For filtering events like you want you simply have to create one rule, but you have to define source::
props.conf
[source::WinEventLog:Microsoft-Windows-Sysmon/Operational]
TRANSFORMS-call = drop
[source::WinEventLog:Microsoft-Windows-System]
TRANSFORMS-call = drop
[source::E:\Eam\Siteminder\Log\smps.log]
TRANSFORMS-call = drop
transforms.conf
[drop]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
Put those files on the indexers and restart it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For filtering events like you want you simply have to create one rule, but you have to define source::
props.conf
[source::WinEventLog:Microsoft-Windows-Sysmon/Operational]
TRANSFORMS-call = drop
[source::WinEventLog:Microsoft-Windows-System]
TRANSFORMS-call = drop
[source::E:\Eam\Siteminder\Log\smps.log]
TRANSFORMS-call = drop
transforms.conf
[drop]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
Put those files on the indexers and restart it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@satyaallaparthi Can you confirm that the data in question is first reaching HF and then being forwarded to indexer(s)? Also, if you want all the data with sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational to be sent to null queue, why don't you have REGEX set to . ? And same for smps. Try removing SOURCE_KEY in transforms and restart splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I did tried REGEX= . and removed the source_key aswell and restarted..and I dont wanna receive any data from those sourcetypes and source E://EAM* but still am getting data from those. Please help me with that.
thanks,
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
