Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk DB Connect: Why are my props and transforms configurations not filtering out events from McAfee?

jeffryjacob
New Member
‎02-05-2015 10:27 PM

Hello all ye gurus
We have Mcafee EPO data coming into splunk as follows
- DBX app installed which connects to the EPO data and pulls the information.
- the $Splunk_home$\etc\apps\dbx\local\inputs.conf has the source (dbmon_tail.......)
- the index, sourcetype=mcafee:epo are set here

This all works well but i want to filter out a number of events that are extracted from the Mcafee EPO database. Specifically, events where the signature = "Anti-virus Standard Protection:Prevent user rights policies from being altered"

so my strategy was to use props and transforms file to filter it out
so in the props file, I added

[mcafee:epo]
TRANSFORMS-filter_unwanted_events=filter_unwanted_events

In the transforms file, I added

[filter_unwanted_events]
REGEX = (?m)\nsignature.+Protection
DEST_KEY = queue
FORMAT = nullQueue

This is on a heavy forwarder, however, i am not able to get this to work.

where i am going wrong?
-is the transforms not being applied on the right source/sourcetype?
-is the regex not correct?
-am i using the wrong props and transforms files?

Any help would be greatly appreciated.
Thanks!

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎02-05-2015 10:55 PM

Hi jeffryjacob,

here are my answers:

is the transforms not being applied on the right source/sourcetype?
run $SPLUNK_HOME/bin/splunk cmd btool props mcafee:epo list to verify this

is the regex not correct?
Yes, it is not correct - try this signature.+Protection

am i using the wrong props and transforms files?
No, you're not

Hope this helps ...

cheers, MuS

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...