- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Filtering out data (from a forwarder) on Indexer?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filtering out data (from a forwarder) on Indexer?
hi, i have several universal forwarders deployed, and im getting lots of events i want to filter out.
I understand from reading answers here i need to do this on the indexer (or else install heavy forwaders on my endpoints, which i dont want to do).
This is a raw entry that im trying to drop / filter out from my indexer (ie to keep it from using up lots of my license):
02/13/2020 10:19:09.016
event_status="(0)The operation completed successfully."
pid=1216
process_image="c:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
registry_type="CreateKey"
key_path="HKLM\system\controlset001\services\tcpip\parameters"
data_type="REG_NONE"
data=""
This is the entry from the inputs.conf on the forwarders that is sending some of the events i want to filter out:
[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
And i have added these lines on my indexer (and restarted), but im still seeing the events come in:
#on props.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\props.conf):
[WinRegMon://default]
TRANSFORMS-set= setnull
#on transforms.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\transforms.conf):
[setnull]
REGEX = process_image=.+vmtoolsd.exe"
DEST_KEY = queue
FORMAT = nullQueue
Thanks!
(ive been referencing many answers, including this good one):
(h)ttps:// answers.splunk.com/answers/37423/how-to-configure-a-forwarder-to-filter-and-send-the-specific-events-i-want.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This might help you!
https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
transforms.conf
[setnull]
REGEX = (?s).*process_image.*vmtoolsd\.exe.*
DEST_KEY = queue
FORMAT = nullQueue
REGEX captures all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stanza name in props.conf should be source::<source*>* or sourcetype. Set sourcetype attribute in inputs.conf and use same as stanza in props.conf. You can also put props.conf and transforms.conf on universal forwarders.
inputs.conf
[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
sourcetype = winregmonitor
props.conf
[winregmonitor]
TRANSFORMS-set= setnull
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
after making the changes, did you do any of the following:
- run the search:
| extract reload=T
OR
- http[s]://[splunkWebHostname]:[splunkWebPort]/debug/refresh
OR
- restart splunk -- /opt/splunk/bin/splunk restart?
and then validate ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should put these under ...\etc\apps\local or ...\etc\system\local instead of under user\admin if you want use those on indexing time.
Ismo
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
