Re: Filter syslog input before indexing

bumjubeo · ‎11-26-2010

I am looking to filter my syslog traffic before it gets indexed by splunk as we are getting a fair bit of fluff from our esxi hosts.

This is what I have setup so far, and it doesnt appear to be working....it may be an error on my regex, I'm hoping not haha.

-props.conf-

[source::SyslogVMware] TRANSFORMS-null = setnull

-transforms.conf-

[setnull] REGEX = [hostd] DEST_KEY = queue FORMAT = nullQueue

I am hoping to remove all alerts recieved from hostd before being indexed, but this doesnt appear to filter anything and i'm hoping I can get a quick pointer in the right direction.

Thanks!

bumjubeo · ‎11-26-2010

Type your custom source correctly and this issue wont be a problem. 😉

bumjubeo · ‎11-26-2010

Ends up the initial regex Hostd: wasn't actually working because Vpxa was being so chatty I didnt notice any Hostd logs, upon further filtering the search I noticed Hostd was sending logs. Looked at my custom source name and I was using the Sourcetype name and not the Source name.

bumjubeo · ‎11-26-2010

Figured out a bit....my regex didnt need [hostd].

I made my REGEX = Hostd:

and this worked, I am not working on the or command which should be a pipe...arent the conf files using perl regexes?

Filter syslog input before indexing

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation