Getting Data In

Splunk DB Connect: Why are my props and transforms configurations not filtering out events from McAfee?

New Member

Hello all ye gurus
We have Mcafee EPO data coming into splunk as follows
- DBX app installed which connects to the EPO data and pulls the information.
- the $Splunk_home$\etc\apps\dbx\local\inputs.conf has the source (dbmon_tail.......)
- the index, sourcetype=mcafee:epo are set here

This all works well but i want to filter out a number of events that are extracted from the Mcafee EPO database. Specifically, events where the signature = "Anti-virus Standard Protection:Prevent user rights policies from being altered"

so my strategy was to use props and transforms file to filter it out
so in the props file, I added


In the transforms file, I added

REGEX = (?m)\nsignature.+Protection
DEST_KEY = queue
FORMAT = nullQueue

This is on a heavy forwarder, however, i am not able to get this to work.

where i am going wrong?
-is the transforms not being applied on the right source/sourcetype?
-is the regex not correct?
-am i using the wrong props and transforms files?

Any help would be greatly appreciated.

0 Karma


Hi jeffryjacob,

here are my answers:

is the transforms not being applied on the right source/sourcetype?
run $SPLUNK_HOME/bin/splunk cmd btool props mcafee:epo list to verify this

is the regex not correct?
Yes, it is not correct - try this signature.+Protection

am i using the wrong props and transforms files?
No, you're not

Hope this helps ...

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of Splunk APM’s and Splunk RUM’s streaming infrastructure in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...