Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Send the data to nullqueue except matching event

RSS_STT
Explorer
‎03-06-2025 07:24 AM

I want to send the all the event to nullqueue except having match "EventType": 5000.

 

{"EventID": 2154635, "EventType": 5000, "NetObjectValue": null, "EngineID": null}

 

[solarwinds:alerts]
TRANSFORMS-t=eliminate-except-5000

 

[eliminate-except-5000]
REGEX=[\w\W]+[^("EventType": 500)]
DEST_KEY=queue
FORMAT=nullQueue

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-06-2025 07:51 AM

Regular expressions don't handle negation well.  The given regex will match the sample event because the third character does not consist of "EventType".  It's probably better to index matching events and discard the rest.

[solarwinds:alerts]
TRANSFORMS-t=keep-5000, delete-others


[keep-5000]
REGEX = ("EventType": 5000)
DEST_KEY = queue
FORMAT = indexQueue

[delete-others]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-06-2025 07:51 AM

Regular expressions don't handle negation well.  The given regex will match the sample event because the third character does not consist of "EventType".  It's probably better to index matching events and discard the rest.

[solarwinds:alerts]
TRANSFORMS-t=keep-5000, delete-others


[keep-5000]
REGEX = ("EventType": 5000)
DEST_KEY = queue
FORMAT = indexQueue

[delete-others]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎03-06-2025 02:46 PM

@richgalloway 

Just a thought, but arent the transforms applied in order, so with keep-5000, delete-others it will set indexQueue if its eventType 5000, and then set nullQueue for everything (incl eventType 5000)? I think the queue can be updated multiple times with props/transforms so might need to be delete-others first so it set queue to nullQueue for everything, and then update to indexQueue for eventType 5000?

I might be wrong and cant find any solid evidence to backup my theory at the mo, other than trying it out which I will do if I get chance!

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎03-07-2025 05:23 AM

Yes. The transforms are applied

1. Within a single transform class - left to right

2. Separate transform classes are called in alphabetical order.

What is important though (and what is often overlooked by the beginners; guilty of it myself 😉) is that all matching transforms are "fired". It's not like ACL that only first one that matches is executed.

So if you want to do something only for some events, you have to _first_ do the default action (for example, redirect to nullQueue as in this example) and only _then_ update some events to get the special treatment (in this case - get them indexed).

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-06-2025 04:57 PM

You're right, @livehybrid I have the order reversed.  Here's the docs I couldn't find earlier: https://docs.splunk.com/Documentation/Splunk/9.4.1/Forwarding/Routeandfilterdatad#Keep_specific_even...

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎03-06-2025 03:37 PM

You @livehybrid are correct. It should be 1st send all to nullQueue and then select those events which you want to keep.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...