Getting Data In

How to filter out certain events from checkpoint data?

rodrigorsilva
Communicator

Hi everyone,

I need help to create a better regex in my transforms.conf. I am filtering checkpoint data in my Splunk.

In this case, I don't want collect the following event policy_name=firewall_name

I created the props.conf and transforms.conf:

 props.conf:
 [script:///splunk/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA]
 TRANSFORMS-null = eliminate_opsec

 transforms.conf
 [eliminate-opsec]
 REGEX = policy_name\=firewall_name
 DEST_KEY = queue
 FORMAT = nullQueue

How do I do add this function ?

0 Karma
1 Solution

rodrigorsilva
Communicator

Hello everyone

We had successfully with the informed documentation, see below how the files were edited:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Forwarding/Routeandfilterdatad
https://answers.splunk.com/answers/99636/need-help-with-nullqueue-specifics-included.html

  • props.conf
    [opsec]
    TRANSFORMS-null = setnullopsec

  • transforms.conf
    [setnullopsec]
    REGEX = policy_name=(FIrewall_1|Firewall_2)
    DEST_KEY = queue
    FORMAT = nullQueue

Thank you very much.

Rodrigo Ribeiro

View solution in original post

0 Karma

rodrigorsilva
Communicator

Hello everyone

We had successfully with the informed documentation, see below how the files were edited:

http://docs.splunk.com/Documentation/Splunk/6.2.3/Forwarding/Routeandfilterdatad
https://answers.splunk.com/answers/99636/need-help-with-nullqueue-specifics-included.html

  • props.conf
    [opsec]
    TRANSFORMS-null = setnullopsec

  • transforms.conf
    [setnullopsec]
    REGEX = policy_name=(FIrewall_1|Firewall_2)
    DEST_KEY = queue
    FORMAT = nullQueue

Thank you very much.

Rodrigo Ribeiro

0 Karma

rodrigorsilva
Communicator

Sorry, corrected.

See image:

alt text

I tried including the props.conf otherwise specified, but could not figure out if my props file or transforms is incorrect or even both.

0 Karma

jmallorquin
Builder

Hi,

Reviewing your configuration there is a mistake about the name of the transform.

eliminate_opsec vs eliminate-opsec

They have to be the same.

Hope i help you.

0 Karma

jmallorquin
Builder

Hi,

Have you restarted splunk daemon?

Hope help you

0 Karma

rodrigorsilva
Communicator

HI,

Yes, i tried this, but not worked.

Rodrigo Ribeiro

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...