Splunk Ingest Actions - Using Eval Expression Synt...

gazoscreek · ‎03-10-2023

In configuring Rules for Splunk Ingest Actions I have a sourcetype configured for numerous "Filter with Regular expression" stanzas that is properly dropping events ...

However, I'd like to have the same sourcetype drop messages where host=foo-* ...

I might be able to use the eval expression to do that, but I'm not sure how to construct it in a format acceptable to the UI, and functionally appropriate.

eval true = if(match(host,"^foo-"),true,null())

I'm sure that's wrong, but there really are no examples that I've been able to find other than "true()"

jbillings21 · ‎10-23-2023

I know this is quite a late response, but you should be able to accomplish this with using the "Filter using Regex".

Select "host" for Source Field

In "Drop Events Matching Regular Expression", enter ^foo-

That will set it so any events with the host field value, that starts with foo- will be dropped.

Splunk Ingest Actions - Using Eval Expression Syntax

heavy forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation