Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

filtering off events based based on ip address

remy06
Contributor
‎02-17-2011 10:19 AM

Hi,

I am trying to filter off ip address on our splunk server based on the source - C:\http server\logs\web-access.log

A sample of the event looks like this:
192.168.1.15 - - [17/Feb/2011:18:13:34 +0800] "GET /" 200 8146

And my configuration:
props.conf
[source::C:\\http server\\logs\\web-access.log]
TRANSFORMS-null = sendnull

transforms.conf
[sendnull]
REGEX = 192\.168\.1\.15
DEST_KEY = queue
FORMAT = nullQueue

I still see events from 192.168.1.15 coming in.Any idea?

Tags (1)
0 Karma
Reply

IgorB
Path Finder
‎04-22-2011 02:00 AM

If the instance monitoring the log is not a light-weight forwarder, then all transforms should be done there. In such a case your config will have no effect on the indexer.

0 Karma
Reply

remy06
Contributor
‎02-21-2011 07:57 AM

any idea what's wrong with my config?

0 Karma
Reply

remy06
Contributor
‎02-18-2011 03:47 AM

also to mention,my splunk server is receiving events from the web server,where splunk is installed as a forwarder and configured to read apache log files locally before forwarding them.

0 Karma
Reply

remy06
Contributor
‎02-18-2011 02:57 AM

I've also tried to specify this in the stanza name in props.conf:
[source::C:\http server\logs\web-access.log]..but not working..Could it be due to the space between http and server?

0 Karma
Reply

remy06
Contributor
‎02-18-2011 02:54 AM

The file path should be "C:\http server\logs\web-access.log". There's a space between "http" and "server". I've amended my post.

0 Karma
Reply

IgorB
Path Finder
‎02-17-2011 11:36 AM

Stanza name in props.conf is incorrect: you've got to prepend it with "source::".

See props.conf spec for more info 

[<spec>]
* This stanza enables properties for a given <spec>. 
* A props.conf file can contain multiple stanzas for any number of different <spec>.
* Follow this stanza name with any number of the following attribute/value pairs.
* If you do not set an attribute for a given <spec>, the default is used.

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host for an event.
3. source::<source>, where <source> is the source for an event.
[...]
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...