Hello all ye gurus
We have Mcafee EPO data coming into splunk as follows
- DBX app installed which connects to the EPO data and pulls the information.
- the $Splunk_home$\etc\apps\dbx\local\inputs.conf has the source (dbmon_tail.......)
- the index, sourcetype=mcafee:epo are set here
This all works well but i want to filter out a number of events that are extracted from the Mcafee EPO database. Specifically, events where the signature = "Anti-virus Standard Protection:Prevent user rights policies from being altered"
so my strategy was to use props and transforms file to filter it out
so in the props file, I added
In the transforms file, I added
REGEX = (?m)\nsignature.+Protection
DEST_KEY = queue
FORMAT = nullQueue
This is on a heavy forwarder, however, i am not able to get this to work.
where i am going wrong?
-is the transforms not being applied on the right source/sourcetype?
-is the regex not correct?
-am i using the wrong props and transforms files?
Any help would be greatly appreciated.