Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Route and filter data that is received only from c...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Route and filter data that is received only from certain index from tcp 9997 port
Based on this
I have identified the method
Keep specific events and discard the rest
Keeping only some events and discarding the rest requires two transforms. In this scenario, which is opposite of the previous, the setnull transform routes all events to nullQueue while the setparsing transform selects the sshd events and sends them on to indexQueue.
As with other index-time field extractions, processing of transforms happens in the order that you specify them, from left to right. The key difference is the order in which you specify the stanzas. In this example, the setnull stanza must appear first in the list. This is because if you set it last, it matches all events and sends them to the nullQueue, and as it is the last transform, it effectively throws all of the events away, even those that previously matched the setparsing stanza.
When you set the setnull transform first, it matches all events and tags them to be sent to the nullQueue. The setparsing transform then follows, and tags events that match [sshd] to go to the indexQueue. The result is that the events that contain [sshd] get passed on, while all other events get dropped.
- Edit props.conf and add the following:
[source:splunk://tcp:9997] TRANSFORMS-set= setnull,setparsing
- Edit transforms.conf and add the following:
[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = \[sshd\] DEST_KEY = queue FORMAT = indexQueue
What will be the regex if I want to regex by index?
Currently, I am receiving a copy from the event from a external Splunk indexer, and wish to filter the data out, before the data reach my Splunk indexer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Option1: Try like below to push to an index
[setparsing]
REGEX=\[sshd\]
DEST_KEY=_MetaData:Index
FORMAT=my_new_index
Option2: Another idea to try out is to ensure, the `sshd` type of data have a new sourcetype
[setparsing]
REGEX = \[sshd\]
FORMAT = sourcetype::mycustom:linux:sshd
DEST_KEY = MetaData:Sourcetype
and then in your props.conf. This way you can group relevant data into sourcetype which can then be pushed to relevant index
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
