Getting Data In

Is there a way to blacklist specific event for specific index

ss026381
Communicator

I know we can easily blacklist specific event using regex in props.conf and transforms.conf . But I have 4 different indexes and I want to blacklists specific events from one index, or maybe I want to whitelist specific event for 1 index. is it possible?

0 Karma

ss026381
Communicator

Thanks Jeanies, I though stanza only works for a source. I never tried it with index. I will try it and close it if it works.

0 Karma

DalJeanis
Legend

Yes, you are looking to "route unwanted events to the nullqueue".

Basically, you will create a regex that identifies the events you want to blacklist, put somestanza name in props.conf for that index or source, then in transforms.conf under that somestanza you will have

 [somestanza]
 SOURCE_KEY = whateverfieldIwanttofindtehmatchin
 REGEX = mymatchregex
 DEST_KEY = queue
 FORMAT = nullQueue

Here are some examples -

https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html

ss026381
Communicator

didn't work for me. I bet I am doing something wrong. Here is my configuration file.

props.conf

[source::*.*]
index=new-index 
TRANSFORMS-set= setnull

transforms.conf

[setnull]
REGEX = .*\s+Debug\s+.*
DEST_KEY = queue
FORMAT = nullQueue

I am trying to blacklist all debug events. For example:

 11 Oct 2017 09:05:39  n/a -  client   exception  Debug  Authentication error     
0 Karma

DalJeanis
Legend

Your [setnull] stanza looks okay, like it would work technically, but you will probably have a catastrophic backtracking error on any event that does NOT have Debug in it. Basically, it would use the first . to slurp up all the characters until it got to the end, and then back up to the first space, then look for Debug again, then back up again, and so on. because each thing that qualifies for \s ALSO qualifies for '.', it can fail to match many many different ways.

You should take advantage of the fact that the REGEX is not anchored, so you are just looking for a space, then the word Debug, then a space.

[setnull]
REGEX = \sDebug\s
DEST_KEY = queue
FORMAT = nullQueue

If you want to route to a different index, there is a different syntax for that. It would look something like this, and should be in a stanza of its own.

[stanzaname]
REGEX (.)
DEST_KEY = _MetaData:Index
FORMAT = newindexname

https://answers.splunk.com/answers/478659/how-to-route-to-an-index-based-on-sourcetype-and-h.html

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...