Hi everyone,
I need help to create a better regex in my transforms.conf. I am filtering checkpoint data in my Splunk.
In this case, I don't want collect the following event policy_name=firewall_name
I created the props.conf and transforms.conf:
props.conf:
[script:///splunk/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA]
TRANSFORMS-null = eliminate_opsec
transforms.conf
[eliminate-opsec]
REGEX = policy_name\=firewall_name
DEST_KEY = queue
FORMAT = nullQueue
How do I do add this function ?
Hello everyone
We had successfully with the informed documentation, see below how the files were edited:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Forwarding/Routeandfilterdatad
https://answers.splunk.com/answers/99636/need-help-with-nullqueue-specifics-included.html
props.conf
[opsec]
TRANSFORMS-null = setnullopsec
transforms.conf
[setnullopsec]
REGEX = policy_name=(FIrewall_1|Firewall_2)
DEST_KEY = queue
FORMAT = nullQueue
Thank you very much.
Rodrigo Ribeiro
Hello everyone
We had successfully with the informed documentation, see below how the files were edited:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Forwarding/Routeandfilterdatad
https://answers.splunk.com/answers/99636/need-help-with-nullqueue-specifics-included.html
props.conf
[opsec]
TRANSFORMS-null = setnullopsec
transforms.conf
[setnullopsec]
REGEX = policy_name=(FIrewall_1|Firewall_2)
DEST_KEY = queue
FORMAT = nullQueue
Thank you very much.
Rodrigo Ribeiro
Hi,
Reviewing your configuration there is a mistake about the name of the transform.
eliminate_opsec vs eliminate-opsec
They have to be the same.
Hope i help you.
Hi,
Have you restarted splunk daemon?
Hope help you
HI,
Yes, i tried this, but not worked.
Rodrigo Ribeiro