Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Send the data to nullqueue except matching event

RSS_STT
Explorer
‎03-06-2025 07:24 AM

I want to send the all the event to nullqueue except having match "EventType": 5000.

 

{"EventID": 2154635, "EventType": 5000, "NetObjectValue": null, "EngineID": null}

 

[solarwinds:alerts]
TRANSFORMS-t=eliminate-except-5000

 

[eliminate-except-5000]
REGEX=[\w\W]+[^("EventType": 500)]
DEST_KEY=queue
FORMAT=nullQueue

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-06-2025 07:51 AM

Regular expressions don't handle negation well.  The given regex will match the sample event because the third character does not consist of "EventType".  It's probably better to index matching events and discard the rest.

[solarwinds:alerts]
TRANSFORMS-t=keep-5000, delete-others


[keep-5000]
REGEX = ("EventType": 5000)
DEST_KEY = queue
FORMAT = indexQueue

[delete-others]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-06-2025 07:51 AM

Regular expressions don't handle negation well.  The given regex will match the sample event because the third character does not consist of "EventType".  It's probably better to index matching events and discard the rest.

[solarwinds:alerts]
TRANSFORMS-t=keep-5000, delete-others


[keep-5000]
REGEX = ("EventType": 5000)
DEST_KEY = queue
FORMAT = indexQueue

[delete-others]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎03-06-2025 02:46 PM

@richgalloway 

Just a thought, but arent the transforms applied in order, so with keep-5000, delete-others it will set indexQueue if its eventType 5000, and then set nullQueue for everything (incl eventType 5000)? I think the queue can be updated multiple times with props/transforms so might need to be delete-others first so it set queue to nullQueue for everything, and then update to indexQueue for eventType 5000?

I might be wrong and cant find any solid evidence to backup my theory at the mo, other than trying it out which I will do if I get chance!

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-07-2025 05:23 AM

Yes. The transforms are applied

1. Within a single transform class - left to right

2. Separate transform classes are called in alphabetical order.

What is important though (and what is often overlooked by the beginners; guilty of it myself 😉) is that all matching transforms are "fired". It's not like ACL that only first one that matches is executed.

So if you want to do something only for some events, you have to _first_ do the default action (for example, redirect to nullQueue as in this example) and only _then_ update some events to get the special treatment (in this case - get them indexed).

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-06-2025 04:57 PM

You're right, @livehybrid I have the order reversed.  Here's the docs I couldn't find earlier: https://docs.splunk.com/Documentation/Splunk/9.4.1/Forwarding/Routeandfilterdatad#Keep_specific_even...

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎03-06-2025 03:37 PM

You @livehybrid are correct. It should be 1st send all to nullQueue and then select those events which you want to keep.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...