Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- do not index events using props/transforms regex h...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do not index events using props/transforms regex help
mjm295
Path Finder
06-11-2020
06:39 PM
Hi
A recent agent install across our infrastructure has created a flood in the proxy logs of blocked messages which is blowing out our license.
Until there is a proper fix I need to stop ingesting events related to 1 URL.
I think I just need help with the REGEX part.
Log are dropped to a syslog server running a heavy forwarder, then we run a monitor on that log file.
Inputs.conf
[monitor:///remotesyslogs/mgmt-austaiaecho00*/*.log]
disabled = false
index = star_proxy
sourcetype = cisco:wsa:squid
props.conf
[cisco:wsa:squid]
TRANSFORMS-screen=eliminate-screenconnect
transforms.conf
[eliminate-screenconnect]
REGEX = ?.=screenconnect
DEST_KEYi = queue
FORMAT = nullQueue
Example event from log file:
2020-06-12T04:04:55+10:00 mgmt-austaiaecho005.casino.internal accesslogs_splunk: Info: 1591898695.320 0 10.10.216.100 TCP_DENIED/407 0 CONNECT tunnel://screenconnect.techmedia.com.au:8080/ - NONE/- - OTHER-NONE-DefaultGroup-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> - - "12/Jun/2020:04:04:55 +1000" -
Basically for next 4 weeks I need to drop all events with
screenconnect.techmedia.com.au
Thanks
Mark
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
06-20-2020
06:02 PM
[eliminate-screenconnect]
REGEX = screenconnect\.techmedia\.com\.au
DEST_KEY = queue
FORMAT = nullQueueA simple REGEX is enough for nullQueue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alonsocaio
Contributor
06-20-2020
07:24 AM
Hi,
I would try to use some regex like this one:
^.+screenconnect\.techmedia\.com\.au.+$
I have tested it using Regex101 (https://regex101.com/r/gHJVDp/2), with the URLs below:
screenconnect.techmedia.com.au
screenconnect2.techmedia.com.au
screenconnect.techmedia10.com.au
* I also recommend you to test this regex (and any other you build or find) in a dev environment, before using it in your production transforms.conf file.
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Unlock What’s Next: The Splunk Cloud Platform at .conf25
In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
Index This | How many sevens are there between 1 and 100?
August 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
