Solved: Heavy Forwarder filter

benedetto · ‎09-27-2012

Hi,

I have this example of log:

hhhh/mm/dd hh:mm:ss :MGR ,nnnnn:nnn(text):1 [-07728 text.] : Event : Done by > 'text'

I would like to filter by code "07728".

How can do it?

Thanks in advance, Best regards

MarioM · ‎09-27-2012

By filter do you mean discard events containing the value 07728 ?

Then For example you could do:

In props.conf, set the TRANSFORMS-null attribute:

[source::<your_source_path]
TRANSFORMS-null= setnull

In transforms.conf:

[setnull]
REGEX=\[.*07728.*\]
DEST_KEY=queue
FORMAT=nullQueue

*UPDATE*

Keep specific events and discard the rest

In this example, the order of the transforms in props.conf matters. The null queue transform must come first; if it comes later, it will invalidate the previous transform and route all events to the null queue.

In props.conf:

[source::<your_source_path]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX=\[.*(07728|07729|07730).*\]
DEST_KEY = queue
FORMAT = indexQueue

View solution in original post

MarioM · ‎09-27-2012

By filter do you mean discard events containing the value 07728 ?

Then For example you could do:

In props.conf, set the TRANSFORMS-null attribute:

[source::<your_source_path]
TRANSFORMS-null= setnull

In transforms.conf:

[setnull]
REGEX=\[.*07728.*\]
DEST_KEY=queue
FORMAT=nullQueue

*UPDATE*

Keep specific events and discard the rest

In this example, the order of the transforms in props.conf matters. The null queue transform must come first; if it comes later, it will invalidate the previous transform and route all events to the null queue.

In props.conf:

[source::<your_source_path]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX=\[.*(07728|07729|07730).*\]
DEST_KEY = queue
FORMAT = indexQueue

GreeshmaV · ‎03-19-2015

My event is like this "Type=Error, XXXXXXX, xxxxx, CMP=PUR, API=get Att, XXX, XXX" I need to filter it based on the CMP=PUR, I have tried REGEX = [.CMP=PUR.] but its not working can some one help plzzz

benedetto · ‎09-28-2012

You are Great!!

Thank you very much!!

MarioM · ‎09-27-2012

just seen a typo in your transforms.conf you have twice REGEX and i tried the config on my splunk and it worked.

benedetto · ‎09-27-2012

Yes 🙂

2012/09/27 19:07:48 :MGR ,49660:301(entrust):1 [-07728 Entrust subsystem started.] : Event : Done by > 'Master User Master1' : entash subsystem - Entrust Authority (TM) Security Manager, version 7.1 SP3 Patch 154020(189) @ Jan 5 2010 14:29:19 (PID: 49660)

Thank you very much.

MarioM · ‎09-27-2012

then it sounds like the regex doesnot match your data.

Can you post sample events?

benedetto · ‎09-27-2012

[source::/home/splunk/mgraudit/mgraudit.log]

NO_BINARY_CHECK = 1

pulldown_type = 1

TRANSFORMS-set = setnull,mgraudit

In this way does not send events

[source::/home/splunk/mgraudit/mgraudit.log]

NO_BINARY_CHECK = 1

pulldown_type = 1

TRANSFORMS-set = mgraudit

In this way sends all without filters.
transforms.conf file is equal to the previous.

You know what it depends?

Thank you very much.

MarioM · ‎09-27-2012

that's weird it should work... can you try for test on source instead of sourcetype?

no i am french... 😜 but my mum is sicilian...

benedetto · ‎09-27-2012

I tried with SetNull before mgraudit but this way does not send events.
I tried without SetNull but this way sends all without filters.
I tried with SetNull after mgraudit but this way does not send events.

After modifying the file I restarted splunk.
Anyway, now try again.

ps: are you Italian?

Thank you very much.

MarioM · ‎09-27-2012

in your props.conf setnull should be first:
TRANSFORMS-set = setnull,mgraudit

and you need to restart splunk

benedetto · ‎09-27-2012

props.conf:

[prova_mgraudit]    
NO_BINARY_CHECK = 1    
pulldown_type = 1    
TRANSFORMS-set = mgraudit,setnull

transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[mgraudit]
REGEX = REGEX=\[.*(07728|07895).*\]
DEST_KEY = queue
FORMAT = indexQueue

I have other filters so I used [mgraudit] instead of the file setparsing transforms.conf.
prova_mgraudit is the surcetype that I created via the web interface and corresponds to the log file that I want to filter.

Thank you very much.

MarioM · ‎09-27-2012

can you post you props and transforms?

benedetto · ‎09-27-2012

I tried with SetNull before setparsing but this way does not send events.
I tried without SetNull but this way sends all without filters.

Thank you very much.

MarioM · ‎09-27-2012

I have updated the previous answer and you will have to put the list of all the codes in the regex and between () separated by |

benedetto · ‎09-27-2012

Hi,

Thank you for your answer,
I would like to receive only the logo containing a list of codes for example 07728. The codes are about 80.
Just replace SetNull and nullQueue with setparsing and indexQueue?
How can I specify a list of values to be sent?

Thank you very much.

Heavy Forwarder filter

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?