Getting Data In

Splunk Ingest Actions - Using Eval Expression Syntax

gazoscreek
Path Finder

In configuring Rules for Splunk Ingest Actions I have a sourcetype configured for numerous "Filter with Regular expression" stanzas that is properly dropping events ...

However, I'd like to have the same sourcetype drop messages where host=foo-*  ...

I might be able to use the eval expression to do that, but I'm not sure how to construct it in a format acceptable to the UI, and functionally appropriate.

eval true = if(match(host,"^foo-"),true,null())

I'm sure that's wrong, but there really are no examples that I've been able to find other than "true()" 

Labels (1)
0 Karma

jbillings21
Splunk Employee
Splunk Employee

I know this is quite a late response, but you should be able to accomplish this with using the "Filter using Regex".

Select "host" for Source Field

In "Drop Events Matching Regular Expression", enter ^foo-

That will set it so any events with the host field value, that starts with foo- will be dropped. 

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...