Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Syslog messages ingestion

Splunkuser1103
Engager
‎11-22-2024 11:49 AM

Hello Team,

I have forwarded syslogs to Splunk Enterprise, I am trying to find a way to create props.conf and transforms.conf such a way that Splunk ingests all the messages which matches the keywords that I have defined in a regex in transforms.conf and drop all the non matching messages however I am not able to do the same.

Is there a way to do that or does transforms and props.conf only work to drop the messages which are defined in the regex as currently if I try to that Splunk is dropping only the keywords that I defined and ingesting everything else.

I am new to splunk so requesting some inputs for the same. Thanks in advance!!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-22-2024 02:51 PM

The fact that it's syslog is irrelevant here. You define transforms on a per-sourcetype, per-source or per-host basis.

I assume you're trying to do this - https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

Just remember that order of transforms is important. If you want to only index selected events and get rid of the rest you must first send them all to nullQueue and then rewrite the queue to indexQueue for the selected ones.

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-22-2024 02:51 PM

The fact that it's syslog is irrelevant here. You define transforms on a per-sourcetype, per-source or per-host basis.

I assume you're trying to do this - https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

Just remember that order of transforms is important. If you want to only index selected events and get rid of the rest you must first send them all to nullQueue and then rewrite the queue to indexQueue for the selected ones.

Reply
Solved! Jump to solution

Splunkuser1103
Engager
‎11-24-2024 10:50 PM

Thanks @PickleRick , it worked!

It was the issue with the order of transforms as you pointed, I have adjusted it and now I am able to filter out only the Filter out specific events and discard the rest.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-24-2024 10:59 PM

Yes, it can be a bit unintuitive at first if you are used to ACL-s and you expect the transforms list to just match at some point and don't continue. But it doesn't work this way.

All transforms are checked if their REGEX matches and are executed if it does.

 So if you want to selectively index only chosen events you must first make sure that all events are sent to nullQueue and then another transform applied afterwards will overwrite the already overwritten destination to indexQueue making sure those few events are kept.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...