Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Syslog messages ingestion

Splunkuser1103
Engager
‎11-22-2024 11:49 AM

Hello Team,

I have forwarded syslogs to Splunk Enterprise, I am trying to find a way to create props.conf and transforms.conf such a way that Splunk ingests all the messages which matches the keywords that I have defined in a regex in transforms.conf and drop all the non matching messages however I am not able to do the same.

Is there a way to do that or does transforms and props.conf only work to drop the messages which are defined in the regex as currently if I try to that Splunk is dropping only the keywords that I defined and ingesting everything else.

I am new to splunk so requesting some inputs for the same. Thanks in advance!!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-22-2024 02:51 PM

The fact that it's syslog is irrelevant here. You define transforms on a per-sourcetype, per-source or per-host basis.

I assume you're trying to do this - https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

Just remember that order of transforms is important. If you want to only index selected events and get rid of the rest you must first send them all to nullQueue and then rewrite the queue to indexQueue for the selected ones.

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎11-22-2024 02:51 PM

The fact that it's syslog is irrelevant here. You define transforms on a per-sourcetype, per-source or per-host basis.

I assume you're trying to do this - https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

Just remember that order of transforms is important. If you want to only index selected events and get rid of the rest you must first send them all to nullQueue and then rewrite the queue to indexQueue for the selected ones.

Reply
Solved! Jump to solution

Splunkuser1103
Engager
‎11-24-2024 10:50 PM

Thanks @PickleRick , it worked!

It was the issue with the order of transforms as you pointed, I have adjusted it and now I am able to filter out only the Filter out specific events and discard the rest.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-24-2024 10:59 PM

Yes, it can be a bit unintuitive at first if you are used to ACL-s and you expect the transforms list to just match at some point and don't continue. But it doesn't work this way.

All transforms are checked if their REGEX matches and are executed if it does.

 So if you want to selectively index only chosen events you must first make sure that all events are sent to nullQueue and then another transform applied afterwards will overwrite the already overwritten destination to indexQueue making sure those few events are kept.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...