Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Events are not getting filtered using props.conf & transforms.conf

sraji
Explorer
‎09-01-2020 09:04 PM

I was wondering why all of the filters implemented are not working. Below is my props.conf & transforms.conf file

props.conf

[source::L:\\sample\\logs\\collections...*>]
TRANSFORMS-set= samplecollectionlogs

[source::L:\\sample\\logs\\(?:commands|webapps|partions)...*>]
TRANSFORMS-set1= samplecommandlogs

[source::L:\\sample\\logs\\engines...*>]
SEDCMD-maskfilterlist = s/\(\(not\(deniedlist1 in \('.*'\)\)\)\) /((not(deniedlist1 in ('_content_removed_by_splunk')))) /

 

transforms.conf

 

[samplecollectionlogs]
REGEX = (^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s(\{\d+\}\s)?(mapping|custom|TreePrefixBuilder|XB|ScdLookup|\s|\})|^[^0-9\]])
DEST_KEY = queue
FORMAT = indexQueue

[samplecommandlogs]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

 

Also my doubts is L:\\sample\\logs path are not defined in my heavy splunk(i.e where my props & transforms file reside) but these paths are defined in inputs of the universal forwarders. Source will also consider the monitor path from universal forwarders or should i define in heavy forwarder as well

 

 

 

0 Karma
Reply

sraji
Explorer
‎09-02-2020 12:03 AM

Hi @gcusello ,

Yes i have made the changes as given but still the events are getting indexed from samplecommandlogs.

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-01-2020 11:34 PM

Hi @sraji,

as you can see at https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Routeandfilterdatad#Filter_event_data_... to filter events keeping specific events and discarding the rest you have to put the command on the same row in props.conf.

You have only to put attention that the setnull must be before the other, something like this:

props.conf

[source::L:\\sample\\logs\\\\...*>]
TRANSFORMS-set= samplecommandlogs,samplecollectionlogs

[source::L:\\sample\\logs\\engines...*>]
SEDCMD-maskfilterlist = s/\(\(not\(deniedlist1 in \('.*'\)\)\)\) /((not(deniedlist1 in ('_content_removed_by_splunk')))) /

transforms.conf:

[samplecollectionlogs]
REGEX = (^\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}\s(\{\d+\}\s)?(mapping|custom|TreePrefixBuilder|XB|ScdLookup|\s|\})|^[^0-9\]])
DEST_KEY = queue
FORMAT = indexQueue

[samplecommandlogs]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

Anyway, check the regexes in regex101 site.

If instead you want only to discard specific events, you can use only "samplecommandlogs".

Ciao.

Giuseppe 

0 Karma
Reply

sraji
Explorer
‎09-02-2020 12:06 AM

Hi @gcusello , Yes i have made the changes as given but still the events are getting indexed from samplecommandlogs.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-02-2020 12:12 AM

Hi @sraji,

where did you located the props.conf and transforms.conf? they must be located on Indexers or (when present) on Heavy Forwarders, not on Universal Forwarders.

Then, are you speaking of the first (keep specific events and discardithe rest) or the second (discard specific events)?

if the first, the meaning of the command is that you take only the events that match the regex and discard all the others.

If the second you directly discard the events that match the regex.

Did you restarted Splunk?

Ciao.

Giuseppe

0 Karma
Reply

sraji
Explorer
‎09-02-2020 12:24 AM

Hi @gcusello ,

 

Props.conf & transforms.conf are located under

<splunk_home>/etc/system/local/. Yes it is heavy forwarder because here only search & index is available.
 
for samplecollectionlogs i dont have any logs which are matching now so no events are filtered --> anyway i cant test this untill i have events which are related to this
for samplecommandlogs it needs to discard all the event matches  --> this is not discarding the documents
 
Yes i have restarted the splunk instance from settings-->server controls--> restart splunk
 
 
 
0 Karma
Reply
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...