Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Events are not getting filtered using props.conf & transforms.conf

sraji
Explorer
‎09-01-2020 09:04 PM

I was wondering why all of the filters implemented are not working. Below is my props.conf & transforms.conf file

props.conf

[source::L:\\sample\\logs\\collections...*>]
TRANSFORMS-set= samplecollectionlogs

[source::L:\\sample\\logs\\(?:commands|webapps|partions)...*>]
TRANSFORMS-set1= samplecommandlogs

[source::L:\\sample\\logs\\engines...*>]
SEDCMD-maskfilterlist = s/\(\(not\(deniedlist1 in \('.*'\)\)\)\) /((not(deniedlist1 in ('_content_removed_by_splunk')))) /

 

transforms.conf

 

[samplecollectionlogs]
REGEX = (^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s(\{\d+\}\s)?(mapping|custom|TreePrefixBuilder|XB|ScdLookup|\s|\})|^[^0-9\]])
DEST_KEY = queue
FORMAT = indexQueue

[samplecommandlogs]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

 

Also my doubts is L:\\sample\\logs path are not defined in my heavy splunk(i.e where my props & transforms file reside) but these paths are defined in inputs of the universal forwarders. Source will also consider the monitor path from universal forwarders or should i define in heavy forwarder as well

 

 

 

0 Karma
Reply

sraji
Explorer
‎09-02-2020 12:03 AM

Hi @gcusello ,

Yes i have made the changes as given but still the events are getting indexed from samplecommandlogs.

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-01-2020 11:34 PM

Hi @sraji,

as you can see at https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Routeandfilterdatad#Filter_event_data_... to filter events keeping specific events and discarding the rest you have to put the command on the same row in props.conf.

You have only to put attention that the setnull must be before the other, something like this:

props.conf

[source::L:\\sample\\logs\\\\...*>]
TRANSFORMS-set= samplecommandlogs,samplecollectionlogs

[source::L:\\sample\\logs\\engines...*>]
SEDCMD-maskfilterlist = s/\(\(not\(deniedlist1 in \('.*'\)\)\)\) /((not(deniedlist1 in ('_content_removed_by_splunk')))) /

transforms.conf:

[samplecollectionlogs]
REGEX = (^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s(\{\d+\}\s)?(mapping|custom|TreePrefixBuilder|XB|ScdLookup|\s|\})|^[^0-9\]])
DEST_KEY = queue
FORMAT = indexQueue

[samplecommandlogs]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

Anyway, check the regexes in regex101 site.

If instead you want only to discard specific events, you can use only "samplecommandlogs".

Ciao.

Giuseppe 

0 Karma
Reply

sraji
Explorer
‎09-02-2020 12:06 AM

Hi @gcusello , Yes i have made the changes as given but still the events are getting indexed from samplecommandlogs.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-02-2020 12:12 AM

Hi @sraji,

where did you located the props.conf and transforms.conf? they must be located on Indexers or (when present) on Heavy Forwarders, not on Universal Forwarders.

Then, are you speaking of the first (keep specific events and discardithe rest) or the second (discard specific events)?

if the first, the meaning of the command is that you take only the events that match the regex and discard all the others.

If the second you directly discard the events that match the regex.

Did you restarted Splunk?

Ciao.

Giuseppe

0 Karma
Reply

sraji
Explorer
‎09-02-2020 12:24 AM

Hi @gcusello ,

 

Props.conf & transforms.conf are located under

<splunk_home>/etc/system/local/. Yes it is heavy forwarder because here only search & index is available.
 
for samplecollectionlogs i dont have any logs which are matching now so no events are filtered --> anyway i cant test this untill i have events which are related to this
for samplecommandlogs it needs to discard all the event matches  --> this is not discarding the documents
 
Yes i have restarted the splunk instance from settings-->server controls--> restart splunk
 
 
 
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...