Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtering out data (from a forwarder) on Indexer?

spunk311z
Path Finder
‎02-13-2020 08:22 AM

hi, i have several universal forwarders deployed, and im getting lots of events i want to filter out.

I understand from reading answers here i need to do this on the indexer (or else install heavy forwaders on my endpoints, which i dont want to do).
This is a raw entry that im trying to drop / filter out from my indexer (ie to keep it from using up lots of my license):

02/13/2020 10:19:09.016
event_status="(0)The operation completed successfully."
pid=1216
process_image="c:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
registry_type="CreateKey"
key_path="HKLM\system\controlset001\services\tcpip\parameters"
data_type="REG_NONE"
data=""

This is the entry from the inputs.conf on the forwarders that is sending some of the events i want to filter out:

    [WinRegMon://default]
    disabled = 0
    hive = .*
    proc = .*
    type = rename|set|delete|create

And i have added these lines on my indexer (and restarted), but im still seeing the events come in:

#on props.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\props.conf):

[WinRegMon://default]
TRANSFORMS-set= setnull

#on transforms.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\transforms.conf):

[setnull]
REGEX = process_image=.+vmtoolsd.exe"
DEST_KEY = queue
FORMAT = nullQueue

Thanks!
(ive been referencing many answers, including this good one):
(h)ttps:// answers.splunk.com/answers/37423/how-to-configure-a-forwarder-to-filter-and-send-the-specific-events-i-want.html

0 Karma
Reply

vinod94
Contributor
‎03-03-2020 07:50 AM

This might help you!

https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad

0 Karma
Reply

to4kawa
Ultra Champion
‎03-02-2020 04:10 AM

transforms.conf

[setnull]
REGEX = (?s).*process_image.*vmtoolsd\.exe.*
DEST_KEY = queue
FORMAT = nullQueue

REGEX captures all.

0 Karma
Reply

manjunathmeti
Champion
‎03-01-2020 10:31 PM

Stanza name in props.conf should be source::<source*>* or sourcetype. Set sourcetype attribute in inputs.conf and use same as stanza in props.conf. You can also put props.conf and transforms.conf on universal forwarders.

inputs.conf

 [WinRegMon://default]
 disabled = 0
 hive = .*
 proc = .*
 type = rename|set|delete|create
 sourcetype = winregmonitor

props.conf

[winregmonitor]
TRANSFORMS-set= setnull
0 Karma
Reply

anmolpatel
Builder
‎03-01-2020 04:53 PM

after making the changes, did you do any of the following:
- run the search:
| extract reload=T
OR
- http[s]://[splunkWebHostname]:[splunkWebPort]/debug/refresh
OR
- restart splunk -- /opt/splunk/bin/splunk restart?

and then validate ?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-02-2020 02:18 AM

You should put these under ...\etc\apps\local or ...\etc\system\local instead of under user\admin if you want use those on indexing time.

Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...