Getting Data In

Filter data by props.conf and transform.conf

marco_massari11
Communicator

Hi,

I need to filter out some events from a syslog source. All the events that I need to exclude are like this:

Apr 16 11:24:23 **********  2021-04-16T11:24:23.604+02:00 *************************************** - Modified Query: START TRANSACTION

Can anyone could help?

Thanks in advance

0 Karma
1 Solution

aasabatini
Motivator

Hi @marco_massari11 

props.conf

[source::"your source"]
TRANSFORMS-filter = eventsDrop

 

transforms.conf

[eventsDrop]
REGEX = START\sTRANSACTION
DEST_KEY = queue
FORMAT = nullQueue

to help you better I would need the source and sourcetype info

 

Regards

Alessandro

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

aasabatini
Motivator

Hi @marco_massari11 

props.conf

[source::"your source"]
TRANSFORMS-filter = eventsDrop

 

transforms.conf

[eventsDrop]
REGEX = START\sTRANSACTION
DEST_KEY = queue
FORMAT = nullQueue

to help you better I would need the source and sourcetype info

 

Regards

Alessandro

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

marco_massari11
Communicator

Hi @aasabatini ,

my sourcetype is sourcetype=syslog.

So it should be:

[syslog]
TRANSFORMS-filter = eventsDrop

[eventsDrop]
REGEX = START\sTRANSACTION
DEST_KEY = queue
FORMAT = nullQueue

Is it correct?

Regards

Marco

0 Karma

aasabatini
Motivator

Yes @marco_massari11 , it's correct 
props.conf 

[syslog]
TRANSFORMS-filter = eventsDrop

transforms.conf

[eventsDrop]
REGEX = START\sTRANSACTION
DEST_KEY = queue
FORMAT = nullQueue

Confirmation solution or karma given is appreciated

Alessandro

 

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

marco_massari11
Communicator

Hi @aasabatini ,

it seems not working. In my props I have already a: 

[syslog]
TRANSFORMS-null= ****  It exclude an IP in trasnsform.conf.

So I need to do like this?:

[syslog]
TRANSFORMS-null= ****
TRANSFORMS-filter = eventsDrop

 

0 Karma

aasabatini
Motivator

Hi @marco_massari11 

no, you need to put your transformations stanza, separated by comma

example:

 

[syslog]
TRANSFORMS-null= ****,eventsDrop

 

 

consider the possibility to filter only data as you need with regex.



“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma

marco_massari11
Communicator

Hi @aasabatini ,

my app hasn't the flag on Restart Splunkd. So now it should be work

0 Karma

marco_massari11
Communicator

Hi @aasabatini ,

this is my inputs.conf, I don't know if it could help:

[udp://****]
connection_host = ip
index = ***
source = ***
sourcetype = syslog

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...