Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to ensure regex filters in transforms.conf and a stanza in props.conf only applies to a specific input?

bms9nmh
New Member
‎08-05-2019 10:44 AM

Hello, so I understand that my props.conf and transforms.conf (below) in theory allow me to filter out the events that match the regex specified.

props.conf

 [filter_out_auth_logs]
 TRANSFORMS-tonull = filter_out_word

transforms.conf

 [filter_out_word]
 REGEX =  WORD\[.*?\]:
 DEST_KEY = queue
 FORMAT = nullQueue

What I am unsure of, is how I ensure this filter is only applied to a specific input?

For example, if I have the following entries in the input.config file, where do I specify that I want the input that sends logs to myindex1 to make use of the filtering specified in props and transforms configs?:

 [monitor:///var/log/syslog]
    index = myindex1
    sourcetype = syslog

[monitor:///var/log/syslog.log]
        index = myindex2
        sourcetype = syslog
0 Karma
Reply

audunn
New Member
‎08-05-2019 11:55 AM

You can do this by specifying the source to have action taken against in props.conf. So you'll end up with a props.conf config that looks something like this:

[source::/var/log/syslog]
REGEX = WORD[.*?]:
DEST_KEY = queue
FORMAT = nullQueue

You want to set the name of your props.conf stanza to refer to some metadata which splunk can use to process the logs through your transforms.

You can find more about the specifics here: https://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf
(note: []
* This stanza enables properties for a given .
* A props.conf file can contain multiple stanzas for any number of
different .
* Follow this stanza name with any number of the following setting/value
pairs, as appropriate for what you want to do.
* If you do not set a setting for a given , the default is used.

can be:
1. , the source type of an event.
2. host::, where is the host, or host-matching pattern, for an
event.
3. source::, where is the source, or source-matching
pattern, for an event.
4. rule::, where is a unique name of a source type
classification rule.
5. delayedrule::, where is a unique name of a delayed
source type classification rule.
These are only considered as a last resort
before generating a new source type based on the
source seen.)

0 Karma
Reply

bms9nmh
New Member
‎08-05-2019 12:11 PM

Hello, thanks for the response. Adding [source::/var/log/syslog]
in the stanza won't help for my use case. I have different inputs that send logs to multiple indexes, but they have the same source log, and I want to apply the filter to one of these inputs, but not the other. Is there anything else I can do?
Is there no way to point the input at the props stanza?

0 Karma
Reply

audunn
New Member
‎08-05-2019 12:25 PM

how we handle that in our org is by giving those a unique sourcetype and stitching everything together for end user simplicity with tags

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...