Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Not Able to send data to Null Queue

istutig
Loves-to-Learn Lots
‎01-27-2020 02:30 AM

Hi
How to edit props.conf or blacklist the sub sourcetype

Have integrated PALO ALTO logs to Splunk it is fetching 3 sourcetypes. The pan:log sourcetyoe having pan:userid as sub sourcetype, it's generating alot of events so I want to discard them.
Tried with the Null Queue but the problem is for 1-minute window the userid is not coming whereas for 5-minute window it is coming.

props.conf:
[source::udp:514]
TRANSFORMS-null_syslogs=pa_useridnull

transforms:
[pa_useridnull]
REGEX = type=USERID
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Wallace44
Explorer
‎02-05-2020 05:03 PM

I don't believe you can use type=USERID because that is a post index key pair that's generated. That regex won't match the raw logs.

I'd suggest exporting a chunk of your logs, and then going to a regex builder site and modifying your regex to match. Most regex builder sites have a tool where you can paste data and it will highlight what your regex matches. regexr.com is a site that you might find handy.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

rc15
Observer
‎09-10-2020 09:57 AM

Hi,

 

We are having same problem. Can you please provide solution if issue is resolved?

0 Karma
Reply
Solved! Jump to solution

Wallace44
Explorer
‎02-05-2020 05:11 PM

Based on my PA logs, regex of USERID,login would match the logs you want, however YMMV as I cannot see what logs you've got coming in to Splunk.

0 Karma
Reply
Solved! Jump to solution
Solution

Wallace44
Explorer
‎02-05-2020 05:03 PM

I don't believe you can use type=USERID because that is a post index key pair that's generated. That regex won't match the raw logs.

I'd suggest exporting a chunk of your logs, and then going to a regex builder site and modifying your regex to match. Most regex builder sites have a tool where you can paste data and it will highlight what your regex matches. regexr.com is a site that you might find handy.

0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...