Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Only index events that match criteria

cdevoe57
Path Finder
3 weeks ago

I am using the TA_nix addon to get information about the services on the servers.   I am only interested in indexing 10 of the 150 services.

My setup is as follows

Server UF --> HF --> 3 node index cluster 

I am trying to filter  out the events at the HF

These are the  props and transforms files

props.conf 

[source :: Unix:Service]
TRANSFORMS-set= setnull,setparsing

 

 transforms.conf 

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

 

[setparsing]
REGEX = \[sshd\]
DEST_KEY = queue
FORMAT = indexQueue

Eventually I will set it to allow several services, sshd, auditd, etc. 

I'm not sure what I am doing wrong here or missing.  But this is not working

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cdevoe57
Path Finder
2 weeks ago

In the end this is what worked

props.conf

##  Version 10/20/2025 16:00

[source::...Unix:Service]
TRANSFORMS-set= setnull,setparsing

 

transforms.conf

##  Version 10/20/2025 16:00

 

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
##  The list of services to index in alphabetical order

REGEX=auditd\.service|iptables\.service|journald\.service|nftables\.service|rsylog\.service||sysstat\.serviceDEST_KEY = queue
FORMAT = indexQueue

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
3 weeks ago

I suggest using Ingest Actions (IA) to filter out the unwanted events.  IA uses transforms, but has an easy-to-use UI that lets you test your regular expressions before submitting them.

You can implement IA on your HF or indexers if the GUI is enabled).  If the GUI is not enabled, set up the rules on a search head and copy the resulting transforms (they will be 'ruleset' settings) to the HF.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

Just to nitpick a little. Ingest Actions are a wrapper for RULESET functionality, not TRANSFORMS.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

I don't recall the details of the TA_nix but I'm pretty sure that 

[source :: Unix:Service]

is wrong.

Firstly, there shouldn't be spaces in the stanza name. But that might just be a copy-pasting error.

Secondly, if I remember correctly, you get a script name as source. Unix:Service looks more like a sourcetype name (but I don't recall such sourcetype either). How did you come up with this?

0 Karma
Reply
Solved! Jump to solution

cdevoe57
Path Finder
3 weeks ago

I tried it with and without the spaces.  I will remove them.

As for the Unix:Service I got that by doing a query and looking at the source.  

 

0 Karma
Reply
Solved! Jump to solution
Solution

cdevoe57
Path Finder
2 weeks ago

In the end this is what worked

props.conf

##  Version 10/20/2025 16:00

[source::...Unix:Service]
TRANSFORMS-set= setnull,setparsing

 

transforms.conf

##  Version 10/20/2025 16:00

 

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
##  The list of services to index in alphabetical order

REGEX=auditd\.service|iptables\.service|journald\.service|nftables\.service|rsylog\.service||sysstat\.serviceDEST_KEY = queue
FORMAT = indexQueue

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

Yeah, I rechecked and there is indeed that source (and sourcetype) for the service.sh scripted input.

But there definitely should _not_ be a space there.

Also - if you look into the default props.conf supplied by the addon, matching to source is done by

[source::...Unix:Service]

I'm not sure why, to be honest.

Reply
Solved! Jump to solution

cdevoe57
Path Finder
2 weeks ago

That in fact worked.  Thanks.

Now to get the regex

Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Hi @cdevoe57 

Can I check where you have applied the props/transforms? 

In this setup it should be applied to the HF.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Solved! Jump to solution

cdevoe57
Path Finder
3 weeks ago

It is being applied on the HF

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...