Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

exclude events based on field

martinnepolean
Explorer
‎08-09-2019 04:43 AM

Hi,
Using filemonitor. we are collecting data from a file which sends data of all nix servers. Now we want to only exclude the linux servers. One of the field in teh events have the Ip address of the destination linux servers and we can use it differentiate the servers. But I am not sure how and where I have to configure this blacklist.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-09-2019 11:03 AM

Filter event using transforms. This is impractical for a long list of addresses, however.

Props.conf:

[mysourcetype]
TRANSFORMS-filter = filterLinux

Transforms.conf:

[filterLinux]
# Enter Linux IP addresses here
REGEX = ipAddress = (10\.1\.2\.3|10\.2\.3\.4|10\.3\.4\.5)
DEST_KEY = nullQueue
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

martinnepolean
Explorer
‎08-12-2019 12:54 AM

We already have props and transforms on this filemonitor forwarder to change the index based on the event. so where I have to add the above filter? forwarder or indexer?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-13-2019 05:03 AM

The settings in my answer go on your indexers or heavy forwarders, whichever is first to process the events.

I'm not aware of a method to look up host names at index time. If such a method exists, it would slow indexing significantly.

Is it possible to change how the data is logged? Perhaps add a platform/OS indication? Maybe separate the data into separate files by platform?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

martinnepolean
Explorer
‎08-12-2019 08:38 AM

And the IP address list is big, is it possible
1. To get the hostname of those IP in the new field(maybe run nslookup and assign it to the new field)
2. and use them for filtering because we need not be updating this file if new Linux server comes into the environment.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-09-2019 06:01 AM

To clarify:
You have a file containing events from several systems. [Why not have each system send to Splunk?]
You want to exclude the events from Linux systems.
Linux systems are identified by IP address.
Do you want to exclude the data at index time or search time? Doing so at index time may be a challenge unless the list of Linux IP addresses is short and static.

---
If this reply helps you, Karma would be appreciated.
Reply

martinnepolean
Explorer
‎08-09-2019 09:51 AM
  1. These are particular application log on all servers forwarded to the application log server.
  2. Yes, I want to exclude only linux events
  3. all servers logs are identified by IP address only
  4. i want to exclude @ index time. we have the list of IP which need to be excluded.

looking for a way to exclude events based on a field which has Ip address

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...