Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Data filtering | Blacklisting help needed

SabariRajanT
Path Finder
‎07-27-2020 04:26 AM

In order to filter below data logs not to ingest into splunk. 

%DOMAIN-2-IME:
%DOMAIN-2-IME_DETAILS:
%DOMAIN-5-TCA:

Following techniques followed but it didn't worked out

a)Using Regex expression in transform.conf as \%.*\: to filter all the above 3 domain in transform.conf file(heavy forwarder) even-though logs are ingesting into splunk. Like below

[elimatedomain_text]
REGEX=\%.*\:
DEST_KEY=queue
FORMAT=nullQueue

b)Using Hardcode values as below in transform.conf file doesn't worked out

REGEX = %DOMAIN-2-IME:

REGEX = %DOMAIN-2-IME_DETAILS:

REGEX = %DOMAIN-5-TCA:

Any other solution to black list in heavy forwarder.?

 

 

Labels (3)
0 Karma
Reply

harsmarvania57
Ultra Champion
‎07-27-2020 04:41 AM

Hi,

Can you please provide props.conf configuration as well ?

0 Karma
Reply

SabariRajanT
Path Finder
‎07-27-2020 06:06 AM

Hi,

Thanks for your response. Awaiting your help.

Set1 try:

Props.conf:

TRANSFORMS-Set = discard_events, discard_events1, discard_events_2

================================================================================

Set2 try:

Props.conf:

[cisco:ios]
TRANSFORMS-t1=[elimatedomain_text]

Transform.conf:

[elimatedomain_text]
REGEX=\%.*\:
DEST_KEY=queue
FORMAT=nullQueue

0 Karma
Reply

harsmarvania57
Ultra Champion
‎07-27-2020 06:11 AM

In props.conf, there should be not square bracket in TRANSFORMS

 

It should be like

[cisco:ios]
TRANSFORMS-t1= elimatedomain_text

 

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...