Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filter AWS Cloudtrail AwsApiCall events?

martaBenedetti
Path Finder
‎10-13-2022 07:41 AM

Does anybody know a good way to filter out AWS Cloudtrail events? I'd like to send to null queue events that contains eventType=AwsApiCall.

My input is configured as "Generic S3" (https://docs.splunk.com/Documentation/AddOns/released/AWS/S3)

This is what I have on my HF where the Splunk_TA_AWS is installed and configured:

transforms.conf

 

[eliminate-AwsApiCall]
REGEX = \"eventType\":\s+\"AwsApiCall\"
DEST_KEY = queue
FORMAT = nullQueue

 


props.conf:

 

[aws:cloudtrail]
TRANSFORMS-eliminate-AwsApiCall = eliminate-AwsApiCall

 

 

Doesn't seem to be filtering ... any thoughts?

 

Thanks

Marta

Labels (3)
Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...