Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I exclude stream events based on criteria before indexing?

lznger88_2
Path Finder
‎01-07-2019 09:01 PM

Hi All,

I require to exclude events when the 'dest_port=80'. I have gone through other similar examples and have come to the conclusion that it is more poor REGEX skills causing the issue.

The stream data (netflow v9) goes through a heavy forwarder (HF) prior to the IDX. Below is the props.conf and transforms.conf of the HF, as well as event log:

props.conf:

[stream:netflow]
TRANSFORMS-null= setnull

transforms.conf:

[setnull]
REGEX = "dest_port":53
DEST_KEY = queue
FORMAT = nullQueue

I have also tried other REGEX, such as "(\w+)":80 , "([^\"]+)\":80 but they dont seem to be working.

Event log:

{"dest_ip":"123.456.789.99","dest_port":80,"event_name":"netFlowData","exporter_ip":"192.192.192.192","exporter_time":"2018-Jan-08 03:47:21","exporter_uptime":1269091254,"firewall_event":1,"flow_id":2950442453,"flow_start_time_milli":1546919225527,"input_snmpidx":5,"netflow_elements":["UNKNOWN : 0000","UNKNOWN : fa14fc27d49102c0abdf8bd4","UNKNOWN : 000000000000000000000000","UNKNOWN :

Any help would be great. Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎01-08-2019 05:30 AM

Hi,

Can you please try below config on HF

transforms.conf

[setnull]
REGEX = \"dest_port\"\:80
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎01-08-2019 05:30 AM

Hi,

Can you please try below config on HF

transforms.conf

[setnull]
REGEX = \"dest_port\"\:80
DEST_KEY = queue
FORMAT = nullQueue
Reply
Solved! Jump to solution

lznger88_2
Path Finder
‎01-08-2019 07:57 PM

Thanks immensely harsmarvania57.

The regex you supplied outputs any dest_port when equal to 80* (for example, 80, 801, 8001, etc.) - tested this in Splunk.

I had to amend it slightly to get the right output based on the above log format:
REGEX = \"dest_port\":80\D

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎01-09-2019 12:56 AM

Or you can use REGEX = \"dest_port\"\:80\,

0 Karma
Reply
Solved! Jump to solution

lznger88_2
Path Finder
‎01-17-2019 08:01 PM

This didnt actually work given the above log format

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...