Getting Data In

Can you help me with my data filtering query?

Path Finder

I am trying to filter the data sourcetype= WinEventLog:Microsoft-Windows-Sysmon/Operational , sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational and the source = E:\Eam\Siteminder\Log\smps.log. These are being sent by some one else to my Splunk instance and I don't want to receive any of the above data from any server. I wrote transforms.conf and props.conf in the heavy forwarder, but still, I am getting that data from all those...

*props.conf *

[WinEventLog:Microsoft-Windows-Sysmon/Operational]
TRANSFORMS-call = noncommon

[WinEventLog:Microsoft-Windows-System]
TRANSFORMS-call = common

[source::*smps.log]
TRANSFORMS-call = filter

transforms.conf :

[noncommon]
SOURCEKEY = MetaData:Sourcetype
REGEX = Sysmon
DEST
KEY = queue
FORMAT = nullQueue

[common]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[filter]
SOURCEKEY = MetaData:Source
REGEX = smps
DEST
KEY = queue
FORMAT = nullQueue

[acceptedkeys]
is
valid=SYSLOGROUTING

1 Solution

Communicator

For filtering events like you want you simply have to create one rule, but you have to define source::

props.conf

[source::WinEventLog:Microsoft-Windows-Sysmon/Operational]
TRANSFORMS-call = drop

[source::WinEventLog:Microsoft-Windows-System]
TRANSFORMS-call = drop

[source::E:\Eam\Siteminder\Log\smps.log]
TRANSFORMS-call = drop

transforms.conf

[drop]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

Put those files on the indexers and restart it.

View solution in original post

0 Karma

Communicator

For filtering events like you want you simply have to create one rule, but you have to define source::

props.conf

[source::WinEventLog:Microsoft-Windows-Sysmon/Operational]
TRANSFORMS-call = drop

[source::WinEventLog:Microsoft-Windows-System]
TRANSFORMS-call = drop

[source::E:\Eam\Siteminder\Log\smps.log]
TRANSFORMS-call = drop

transforms.conf

[drop]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

Put those files on the indexers and restart it.

View solution in original post

0 Karma

Communicator

@satyaallaparthi Can you confirm that the data in question is first reaching HF and then being forwarded to indexer(s)? Also, if you want all the data with sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational to be sent to null queue, why don't you have REGEX set to . ? And same for smps. Try removing SOURCE_KEY in transforms and restart splunk.

0 Karma

Path Finder

Yes I did tried REGEX= . and removed the source_key aswell and restarted..and I dont wanna receive any data from those sourcetypes and source E://EAM* but still am getting data from those. Please help me with that.

thanks,

0 Karma