How to ignore the import data

pansplunktest · ‎04-02-2013

Hi,

I using the external data source named: firewall and I want to ignore the data

"Apr  2 16:06:15 firewall device_id=abcde1234  [Root]system-critical-00033: Src IP session limit! From a.b.c.d to i.j.k.l, proto 1 (zone Trust int  ethernet0/3). Occurred 2 times. (2013-04-02 16:06:14)"

which content "From a.b.c.d"

I tried to config "props.conf"

[source::firewall]
TRANSFORMS-null = setnull

[setnull]
REGEX = From\sa.b.c.d
DEST_KEY = queue
FORMAT = nullQueue

But is shown the warning "

Possible typo in stanza [setnull] in /opt/splunk/etc/system/local/props.conf, line 5: REGEX  =  From\sa.b.c.d
Possible typo in stanza [setnull] in /opt/splunk/etc/system/local/props.conf, line 6: DEST_KEY  =  queue"
Possible typo in stanza [setnull] in /opt/splunk/etc/system/local/props.conf, line 7: FORMAT  =  nullQueue

Is it how I modify to correct config? Thanks in advance.

pansplunktest · ‎04-02-2013

Thanks. That is missing to creating tranforms.conf

Ayn · ‎04-02-2013

The setnull transform should go into transforms.conf, not props.conf. Read the docs, here: http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Routeandfilterdatad#Discard_specific_events...

How to ignore the import data

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio