Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Event filtering on Heavy-Forwarder

muhammadalavi19
Loves-to-Learn
‎07-02-2019 09:32 AM

Hi guys
I have a multi tier Splunk implementation as following :

Syslog ----> Heavy-Forwarder ----> Indexer
Universal Forwarder ------> Heavy-Forwarder ----> Indexer

Regarding that i need an event filtering on the HF . The event in question is Cisco ACS event and i want to ignore system statistics logs of mentioned product . So I've build the following configuration :

props.conf
[udp://192.168.110.30:516]
TRANSFORMS-set = Cisco_ACS

tranforms.conf
[Cisco_ACS]
REGEX = System-Stats
DEST_KEY = queue
FORMAT = nullQueue

Following you can see an example of such log :
Jul 2 20:44:02 192.168.110.30 Jul 2 16:14:02 ACS CSCOacs_System_Statistics 0000028700 1 0 2019-07-02 16:14:02.670 +00:00 0000099874 70000 NOTICE System-Stats: ACS Utilization, ACSVersion=acs-5.8.1.4-B.462.x86_64, ConfigVersionId=5, SysStatsUtilizationCpu=5.48%, SysStatsUtilizationNetwork=eth0: rcvd = 10045\; sent = 1547, SysStatsUtilizationMemory=39.72%, SysStatsUtilizationDiskIO=0.74%, SysStatsUtilizationDiskSpace=21.19% /opt/CSCOacs/runtime, SysStatsUtilizationDiskSpace=24.82% /, SysStatsUtilizationDiskSpace=12.35% /boot, SysStatsUtilizationDiskSpace=8.29% /home, SysStatsUtilizationDiskSpace=7.44% /localdisk, SysStatsUtilizationDiskSpace=21.19% /opt, SysStatsUtilizationDiskSpace=6.84% /storedconfig, SysStatsUtilizationDiskSpace=7.97% /tmp, SysStatsUtilizationDiskSpace=16.39% /var, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0,

So i need to filter any log containing "System-Stats" . but my configuration is not working . I guess there is a problem in my REGEX syntax . I need help seriously .

Thanks in advance.

Tags (1)
0 Karma
Reply

spayneort
Contributor
‎07-02-2019 01:19 PM

Is udp://192.168.110.30:516 the sourcetype for this data? That is what your props.conf indicates. If not, you may need to replace that with something else, such as one of the following:

#Sourcetype:
[cisco:acs]

#Source:
[source::udp://192.168.110.30:516]

#Host:
[host::192.168.110.30]
0 Karma
Reply

muhammadalavi19
Loves-to-Learn
‎07-02-2019 07:37 PM

Yes the source is what mentioned in props.conf and it's true.

0 Karma
Reply

sandeepmakkena
Contributor
‎07-02-2019 11:20 AM

tranforms.conf
[Cisco_ACS]
REGEX = System-Stats:

Try this.
thanks.

0 Karma
Reply

muhammadalavi19
Loves-to-Learn
‎07-02-2019 07:39 PM

Tried and was unsuccessful ! 😞

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...