Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Issue sending events to nullQueue.

bnichols024
New Member
‎05-28-2020 10:19 AM

I'm having some issues sending specific events to nullQueue. I want all events from a specific source with the event_type=SETXATTR sent to nullqueue. I have this in my props and transforms files that is currently not working:

Props.conf

[source::/syslog-ng/nasuni/*/*.log]
TRANSFORMS-null= setnull

Transforms.conf

[setnull]
REGEX = (?<event_type>SETXATTR)
DEST_KEY = queue
FORMAT = nullQueue

Also, where exactly on the indexers should these be? I've read some say to put in the $SPLUNK_HOME/etc/system/local folder and others say to put in the $SPLUNK_HOME/etc/apps/myapp/local folder.

Thanks!

Labels (1)
Labels
0 Karma
Reply

darrenfuller
Contributor
‎05-29-2020 07:05 AM

Hi bnichols024,

I think your REGEX is incorrect....you made the capture group a named group called event_type, rather than looking for the string.

Try this: 

[setnull]
REGEX = (event_type = SETXATTR)
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply

dindu
Contributor
‎05-28-2020 11:03 AM

Hi,

Please check the regex whether it's capturing the data as needed. Please give us a sample event to work it out for you.
Your props and transforms are correct
The best practice is to put the conf in your app directory $SPLUNK_HOME/etc/apps/myapp/local.

0 Karma
Reply

bnichols024
New Member
‎05-28-2020 11:29 AM 
2020-05-28T14:19:34-04:00 abuhnasfiler01.euc.ppg.com 1 2020-05-28T21:19:34.322906+03:00 abuhnasfiler01 nasuni.7e485ffc-4467-468f-b298-1 11064 8103704790 - {"to_gid": null, "event_type": "AUDIT_SETXATTR", "sequence": 63553546, "pid": 18010, "groupname": "PPGEUR\\domain users", "result": 0, "uid": 80399113, "is_dir": false, "size": null, "timestamp": 1590689974.2567756, "proto": "AUDIT_PROTO_CIFS", "ipaddr": "10.174.100.2", "ts": null, "to": null, "gid": 80001513, "filesize": null, "to_uid": null, "sid": "S-1-5-21-1570054266-39153565-926709054-398113", "tid": 18010, "username": "PPGEUR\\m00990", "path_timestamp": 0.0, "datasync": null, "volume": "7e485ffc-4467-468f-b298-17e52bab439b_0", "offset": null, "path": "/now/Groups/Common/Sales_Tinting/Silviu/Qlik/2015/Ianuarie 2015/Primite/Rapoarte/Total Decembrie 2014/pigment_67559.csv", "newpath": null, "shared_link_key": null, "resource": "BUHGroups$", "name": "user.DOSATTRIB", "length": null, "flags": null, "mode": null}
event_type = SETXATTReventtype = nix-all-logshost = abuhnasfiler01.euc.ppg.comindex = nasuni_auditingsource = /syslog-ng/nasuni/abuhnasfiler01.euc.ppg.com/2020-05-28.logsourcetype = nasuni
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...