Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to filter out specific events sent via Uni...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to filter out specific events sent via Universal Forwarder?
I have one indexer that is receiving events from a remote Windows host via the Universal Forwarder.
I am trying to filter out events that contain the string 'empty logger' in the log file D:\Logs\Test\testlog5_29_20.log file on the remote server.
I have attempted to use the props.conf and the transforms.conf files on the indexer to send the events matching the regex to nullqueue, but the events in question are still making it.
I am suspecting that the source stanza in the props.conf file isn't correct, as I am specifying a directory that only exists on the remote Windows hosts.
Am I correct in that assumption?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Resolved the issue using [source::....log] stanza in props.conf.
Thanks everyone for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think my issues lies with my props.conf source..
I am currently using:
[source::d:\logs\...\*.log]
TRANSFORMS-null = setnull
I tried using the sourcetype that shows up when I search these events "SampleSourcetype2"
Here is how I have it set:
[sourcetype::SampleSourcetype2]
TRANSFORMS-null = setnull
Then in transforms.conf
[setnull]
REGEX = empty logger
DEST_KEY = queue
FORMAT = nullQueue
The events with "empty logger" are still being indexed however.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That syntax looks OK (well not so much. See my later comment). What does the [setnull] stanza in your transforms.conf file look like?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[setnull]
REGEX = empty logger
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BTW, [sourcetype::SampleSourcetype2] is not supported in props.conf. Use [SampleSourcetype2].
Also, the backslashes must be escaped. source::d:\\logs\\...\\*.log
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are doing this in the following fashion - but we would need to see how you have your configs formatted:
props.conf
[sourcetype:to:modify]
TRANSFORMS-null = StanzaNameInTransforms
This is simply the name we are giving it. It must start with TRANSFORMS but you can use -"name" to have multiple TRANSFORMS on one sourcetype.
transforms.conf
[StanzaNameInTransforms]
REGEX =
DEST_KEY= queue
FORMAT = nullQueue
Your REGEX can be a partial portion of a line. I would play around with that bit but in one of our examples, we simply have a string that shows up in our examples we want dropped. From your example it should be:
[StanzaNameInTransforms]
REGEX = empty logger
DEST_KEY= queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please share a sample event (sanitized) and your current props and transforms for the sourcetype.
If this reply helps you, Karma would be appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
