Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Data filtering | Blacklisting help needed

SabariRajanT
Path Finder
‎07-27-2020 04:26 AM

In order to filter below data logs not to ingest into splunk. 

%DOMAIN-2-IME:
%DOMAIN-2-IME_DETAILS:
%DOMAIN-5-TCA:

Following techniques followed but it didn't worked out

a)Using Regex expression in transform.conf as \%.*\: to filter all the above 3 domain in transform.conf file(heavy forwarder) even-though logs are ingesting into splunk. Like below

[elimatedomain_text]
REGEX=\%.*\:
DEST_KEY=queue
FORMAT=nullQueue

b)Using Hardcode values as below in transform.conf file doesn't worked out

REGEX = %DOMAIN-2-IME:

REGEX = %DOMAIN-2-IME_DETAILS:

REGEX = %DOMAIN-5-TCA:

Any other solution to black list in heavy forwarder.?

 

 

Labels (3)
0 Karma
Reply

harsmarvania57
Ultra Champion
‎07-27-2020 04:41 AM

Hi,

Can you please provide props.conf configuration as well ?

0 Karma
Reply

SabariRajanT
Path Finder
‎07-27-2020 06:06 AM

Hi,

Thanks for your response. Awaiting your help.

Set1 try:

Props.conf:

TRANSFORMS-Set = discard_events, discard_events1, discard_events_2

================================================================================

Set2 try:

Props.conf:

[cisco:ios]
TRANSFORMS-t1=[elimatedomain_text]

Transform.conf:

[elimatedomain_text]
REGEX=\%.*\:
DEST_KEY=queue
FORMAT=nullQueue

0 Karma
Reply

harsmarvania57
Ultra Champion
‎07-27-2020 06:11 AM

In props.conf, there should be not square bracket in TRANSFORMS

 

It should be like

[cisco:ios]
TRANSFORMS-t1= elimatedomain_text

 

Reply
Get Updates on the Splunk Community!

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...