Solved: How to remove logs from specific sourcetype being ...

newsplunker1 · ‎02-13-2023

Hi Everyone,

Im trying to stop the following index from being indexed into Splunk using the props/transforms confs on HF but with no luck - What am i doing wrong here ?

props.conf

[pan:userid]
TRANSFORMS-set-nullqueue=set_nullqueue

transforms.conf

[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

Thank you!!

scelikok · ‎02-14-2023

Hi @newsplunker1,

Palo Alto TA uses sourcetype renaming. You should apply your transform to original sourcetype which is pan:log or pan_log. But as @gcusellowarned, above setting will filter everything in that case. Your regex must be specific. Please try below;

props.conf

[pan:log]
TRANSFORMS-filter_pan_userid = filter_pan_user_id

transforms.conf

[filter_pan_user_id]
REGEX = ^[^,]+,[^,]+,[^,]+,USERID,
DEST_KEY = queue
FORMAT = nullQueue

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎02-14-2023

Hi @newsplunker1,

Palo Alto TA uses sourcetype renaming. You should apply your transform to original sourcetype which is pan:log or pan_log. But as @gcusellowarned, above setting will filter everything in that case. Your regex must be specific. Please try below;

props.conf

[pan:log]
TRANSFORMS-filter_pan_userid = filter_pan_user_id

transforms.conf

[filter_pan_user_id]
REGEX = ^[^,]+,[^,]+,[^,]+,USERID,
DEST_KEY = queue
FORMAT = nullQueue

If this reply helps you an upvote and "Accept as Solution" is appreciated.

newsplunker1 · ‎02-14-2023

Thanks @scelikok - I ll test it and report back

newsplunker1 · ‎02-13-2023

Sorry I meant sourcetype NOT index

gcusello · ‎02-14-2023

Hi @newsplunker1,

using this configuration, you discard all logs with that sourcetype, so the question is: why don't you disable the related input instead log filtering after input?

the solution you describe is useful to discard selected logs not all logs.

To discard all logs from a predefined sourcetype it's easier to disable input for that sourcetype.

Ciao.

Giuseppe

newsplunker1 · ‎02-14-2023

Hi @gcusello

Thanks for taking the time to look into this.

I could not find that sourcetype in the inputs.conf . Splunk monitors the following file

source="/var/log/splunk/network/paloalto/IP@/syslog.log"

my inputs.conf

[monitor:///var/log/splunk/network/paloalto/IP@/syslog.log]
disabled = 0
host =
host_segment = 6
sourcetype = pan:log
index = test

I can only see the pan:userid in the props conf

gcusello · ‎02-14-2023

Hi @newsplunker1,

if you want to discard all logs with the sourcetype=pan:userid and you have only this input with this sourcetype, you can simply disable this input using "disabled = 1".

Ciao.

Giuseppe

newsplunker1 · ‎02-14-2023

This will disable all sourcetypes

pan:threat

pan:traffic

pan:system

I just want to disable or ignore the logs for pan:userid sourcetype

gcusello · ‎02-14-2023

Hi @newsplunker1,

as @scelikok said, this Add-on makes a transformation changing the sourcetype.

In this case the solution is the original one to install on Indexers or (if present) on Heavy Forwarders.

on props.conf:

[pan:log]
TRANSFORMS-filter_pan_userid = filter_pan_user_id

transforms.conf:

[filter_pan_user_id]
REGEX = ^[^,]+,[^,]+,[^,]+,USERID,
DEST_KEY = queue
FORMAT = nullQueue

Ciao.

Giuseppe

How to remove logs from specific sourcetype being indexed?

heavy forwarder

inputs.conf

props.conf

sourcetype

transforms.conf

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform