Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I send events to nullqueue?

stevenbutterwor
Path Finder
‎08-30-2019 02:42 AM

I am currently ingesting AWS VPC Flow logs from our AWS tenant. Most of the logs are internal traffic between ec2 instances. I'd like to send these events to nullqueue as they are not much use to us, we are only concerned with inbound and outbound traffic to the VPC. I think the best way to drop these events is to insert some regex into transforms.conf? Could someone help with this?

I wish to exclude events that have both srcaddr starting with 10.x and dstaddr starting with 10.x

Any help would be appreciated

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stevenbutterwor
Path Finder
‎09-04-2019 06:17 AM

The correct regex is as follows

^\d\s\d*\seni-.*\s10.\d{1,3}.\d{1,3}.\d{1,3}\s10.\d{1,3}.\d{1,3}.\d{1,3}

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

stevenbutterwor
Path Finder
‎09-04-2019 06:17 AM

The correct regex is as follows

^\d\s\d*\seni-.*\s10.\d{1,3}.\d{1,3}.\d{1,3}\s10.\d{1,3}.\d{1,3}.\d{1,3}

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎08-30-2019 06:58 AM

try this regex:

eni-\d{8}\s+10\d\.\d{1,3}\.\d{1,3}.\.\d{1,3}\s+10\d\.\d{1,3}\.\d{1,3}\.\d{1,3}
0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-30-2019 06:28 AM

You can try below RegEx.

[setnull]
REGEX = ^\d\s\d*\seni-\d{2}\s10\.\d{1,3}\.\d{1,3}\.\d{1,3}\s10\.\d{1,3}\.\d{1,3}\.\d{1,3}
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply
Solved! Jump to solution

stevenbutterwor
Path Finder
‎08-30-2019 05:06 AM

alt text

I have attached an image. The 2 field names are srcaddr and dstaddr. It's when both of these start with 10 I want to send to nullQueue

Preview file
264 KB
0 Karma
Reply
Solved! Jump to solution

sandyIscream
Communicator
‎08-30-2019 02:58 AM

@stevenbutterworth You have to setup two files. props.conf and transforms.conf

Please have a loot at the example below.

props.conf
[srctype1]
TRANSFORMS-set = setnull, logstoCapture

transforms.conf
[logstoCapture]
REGEX =
DEST_KEY = queue
FORMAT = indexQueue

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
Reply
Solved! Jump to solution

stevenbutterwor
Path Finder
‎08-30-2019 03:09 AM

Thanks for your answer - it's regex part I need help with

0 Karma
Reply
Solved! Jump to solution

sandyIscream
Communicator
‎08-30-2019 03:10 AM

Could you please send the sample log file. Then I might be able to help you write the regex query

0 Karma
Reply
Solved! Jump to solution

sandyIscream
Communicator
‎09-02-2019 07:16 PM

@stevenbutterworth Did you try the regex that people have posted here ? If that helps then could you please accept the answer.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...