Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I debug my logs and whitelist a word?

guru865
Path Finder
‎08-29-2017 02:30 PM

Hi Everyone.

How to discard all the debug logs for a sourcetype and whitelist a word "AuthIDDetection" whenever this comes in events from sourcetype

Please, could someone help with this --- I have sourcetype "xyz" to which I am discarding keyword "debug" from the events, we are discarding all the debug logs. I would like to discard all the debug logs for sourcetype -- xyz and whitelist a word "AuthIDDetection" whenever this comes in events from sourcetype "xyz" from the same debug logs.

current props.conf --

[sourcetype-xyz]
TRANSFORMS-set=xyz-setnull,setparsing

transforms.conf --

[xyz-setnull]
REGEX= debug|\\|Notice
DEST_KEY=queue
FORMAT=nullQueue

Could you please help with this.

FYI , Am following this documentation - http://docs.splunk.com/Documentation/Splunk/4.3.1/Deploy/Routeandfilterdatad#Discard_specific_events...

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎08-29-2017 04:18 PM

Try this:

Props:
[sourcetype-xyz]
TRANSFORMS-AAA=xyz-whitelist
TRANSFORMS-ZZZ=xyz-setnull

Transforms:
[xyz-whitelist]
REGEX= AuthIDDetection
DEST_KEY=queue
FORMAT=indexQueue

[xyz-setnull]
REGEX= debug|\|Notice
DEST_KEY=queue
FORMAT=nullQueue

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎08-29-2017 04:18 PM

Try this:

Props:
[sourcetype-xyz]
TRANSFORMS-AAA=xyz-whitelist
TRANSFORMS-ZZZ=xyz-setnull

Transforms:
[xyz-whitelist]
REGEX= AuthIDDetection
DEST_KEY=queue
FORMAT=indexQueue

[xyz-setnull]
REGEX= debug|\|Notice
DEST_KEY=queue
FORMAT=nullQueue

0 Karma
Reply
Solved! Jump to solution

guru865
Path Finder
‎08-30-2017 11:28 AM

Thanks @jkat54 for the inputs . Sure , i will check this as well . Also could you please suggest the below written transforms.conf in tandem with props.conf. Can i use setparsing stanza instead of white list in transforms.conf

Props :

[xyz_server]
TRANSFORMS-set= xyz-setnull,setparsing
pulldown_type = true
MAX_EVENTS = 20000

transforms.conf

[xyz-setnull]
REGEX = debug|Notice
DEST_KEY = queue
FORMAT = nullQueue

[xyz-setparsing]
REGEX= AuthIDDetection
DEST_KEY=queue
FORMAT=indexQueue
.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎08-30-2017 11:48 AM

Your example would send everything to setnull first...

do this instead:
TRANSFORMS-set= xyz-setparse,xyz-setnull

My example had it reversed but I corrected it.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎08-31-2017 01:04 PM

After the chat on slack, here's what you need for your regex and you only need one transforms. 

.*\<Notice\>((?!AuthID).)*$
Reply
Solved! Jump to solution

guru865
Path Finder
‎08-31-2017 03:13 PM

Thanks alot @jkat54 . Yes this works . Setting this to nullQueue does the work

transforms.conf

 [xyz-setnull]
 REGEX =  .*\((?!AuthID).)*$
   DEST_KEY = queue
 FORMAT = nullQueue
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...