Getting Data In

Way to exclude ingestion of events for a specific IP address from a SourceType?

elvis5
Loves-to-Learn Lots

When I try use :

transforms.conf

[setnull]
 REGEX = 192\.168\.1\.50, 172\.16\.1\.50
 DEST_KEY = queue
 FORMAT = nullQueue

 props.conf

 [cisco]
 TRANSFORMS-null = setnull

 In event I get all result. But when I use  only one ip its woks good. If any way for exclude more than one ip. 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @elvis5,

it's a regex, you have to use pipe ("|") as OR condition, not comma separated values:

[setnull]
 REGEX = (192\.168\.1\.50)|(172\.16\.1\.50)
 DEST_KEY = queue
 FORMAT = nullQueue
 props.conf

Ciao.

Giuseppe

0 Karma

elvis5
Loves-to-Learn Lots

Thanks it works!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @elvis5,

if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...