Getting Data In

Route and filter data that is received only from certain index from tcp 9997 port


Based on this


I have identified the method


Keep specific events and discard the rest

Keeping only some events and discarding the rest requires two transforms. In this scenario, which is opposite of the previous, the setnull transform routes all events to nullQueue while the setparsing transform selects the sshd events and sends them on to indexQueue.

As with other index-time field extractions, processing of transforms happens in the order that you specify them, from left to right. The key difference is the order in which you specify the stanzas. In this example, the setnull stanza must appear first in the list. This is because if you set it last, it matches all events and sends them to the nullQueue, and as it is the last transform, it effectively throws all of the events away, even those that previously matched the setparsing stanza.

When you set the setnull transform first, it matches all events and tags them to be sent to the nullQueue. The setparsing transform then follows, and tags events that match [sshd] to go to the indexQueue. The result is that the events that contain [sshd] get passed on, while all other events get dropped.

  1. Edit props.conf and add the following:
    TRANSFORMS-set= setnull,setparsing
  2. Edit transforms.conf and add the following:
    REGEX = .
    DEST_KEY = queue
    FORMAT = nullQueue
    REGEX = \[sshd\]
    DEST_KEY = queue
    FORMAT = indexQueue

    What will be the regex if I want to regex by index?


    Currently, I am receiving a copy from the event from a external Splunk indexer, and wish to filter the data out, before the data reach my Splunk indexer

Labels (1)
Tags (1)
0 Karma

Super Champion


Option1: Try like below to push to an index



Option2: Another idea to try out is to  ensure, the `sshd` type of data  have a new sourcetype


REGEX = \[sshd\]
FORMAT = sourcetype::mycustom:linux:sshd
DEST_KEY = MetaData:Sourcetype


and then in your props.conf. This way you can group relevant data into sourcetype which can then be pushed to relevant index

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...