Splunk DB Connect: Why are my props and transforms...

jeffryjacob · ‎02-05-2015

Hello all ye gurus
We have Mcafee EPO data coming into splunk as follows
- DBX app installed which connects to the EPO data and pulls the information.
- the $Splunk_home$\etc\apps\dbx\local\inputs.conf has the source (dbmon_tail.......)
- the index, sourcetype=mcafee:epo are set here

This all works well but i want to filter out a number of events that are extracted from the Mcafee EPO database. Specifically, events where the signature = "Anti-virus Standard Protection:Prevent user rights policies from being altered"

so my strategy was to use props and transforms file to filter it out
so in the props file, I added

[mcafee:epo]
TRANSFORMS-filter_unwanted_events=filter_unwanted_events

In the transforms file, I added

[filter_unwanted_events]
REGEX = (?m)\nsignature.+Protection
DEST_KEY = queue
FORMAT = nullQueue

This is on a heavy forwarder, however, i am not able to get this to work.

where i am going wrong?
-is the transforms not being applied on the right source/sourcetype?
-is the regex not correct?
-am i using the wrong props and transforms files?

Any help would be greatly appreciated.
Thanks!

MuS · ‎02-05-2015

Hi jeffryjacob,

here are my answers:

is the transforms not being applied on the right source/sourcetype?
run $SPLUNK_HOME/bin/splunk cmd btool props mcafee:epo list to verify this

is the regex not correct?
Yes, it is not correct - try this signature.+Protection

am i using the wrong props and transforms files?
No, you're not

Hope this helps ...

cheers, MuS

Splunk DB Connect: Why are my props and transforms configurations not filtering out events from McAfee?

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!