Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to filter events containing the string "desktop$" from being indexed?

jttuman
New Member
‎02-03-2015 10:33 AM

Using folder redirection on a server is creating nearly a quarter million events per hour being forwarded, I want some of the event codes for other shares to be logged, but not specific ones so is there any way to filter events that contain the string "desktop$" from being indexed? Currently on the indexer I've made the props.conf and transforms.conf in %splunkhome%/etc/system/local

props.conf
[default]
TRANSFORMS-remove_events=wminull

transforms.conf
[wminull]
REGEX=(?s)desktop$
DEST_KEY=queue
FORMAT=nullQueue

but that doesn't seem to be working

0 Karma
Reply

lguinn2
Legend
‎02-04-2015 10:50 AM

Your regular expression contains a special character desktop$ means "Find the word desktop at the end of a line".

I think you may want this instead:

REGEX=(?s)desktop\$

Also remember that regular expressions are case-sensitive.

Finally, by putting the TRANSFORMS- in the [default] stanza of props.conf, you are forcing Splunk to evaluate this regular expression for every event that arrives at the indexer. This is horribly inefficient. I would suggest that you use a sourcetype stanza of some sort instead. For example

[win*]
TRANSFORMS-remove_events=wminull
0 Karma
Reply

jttuman
New Member
‎02-04-2015 11:20 AM

You know I think that might have done it, and I modified the props.conf to be
[host::]

that way the indexer should only be concerned about that one forwarder correct?

Also what if I wanted to add a couple more strings to the excluded search such as IPC$ and usr would I just edit the transforms like this?
REGEX=(?s)desktop\$,(?s)IPC\$,(?s)usr
or do I not need the (?s) between each comma? I thinks it's comma that separates it?

0 Karma
Reply

lguinn2
Legend
‎02-04-2015 01:01 PM

Yes, if the data is coming as "myServer" then [host::myServer] will work great.

In regular expressions, alternation is |, so you could do this

REGEX=(?s)desktop\$|IPC\$|usr

You only need the (?s) once, as it applies to the whole regular expression. Be aware that Splunk uses unanchored regular expressions. That means that if splunk finds one of the strings "desktop$" or "IPC$" or "usr" anywhere in the event, the event will be dropped.

If you are going to be writing a lot of regular expressions, you might want to consider picking up a tool, tutorial or reference. There is a brief tutorial/description in the Splunk documentation here, but you can find tons of resources online.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...