Getting Data In
Highlighted

filtering off events based based on ip address

Contributor

Hi,

I am trying to filter off ip address on our splunk server based on the source - C:\http server\logs\web-access.log

A sample of the event looks like this:
192.168.1.15 - - [17/Feb/2011:18:13:34 +0800] "GET /" 200 8146

And my configuration:
props.conf
[source::C:\\http server\\logs\\web-access.log]
TRANSFORMS-null = sendnull

transforms.conf
[sendnull]
REGEX = 192\.168\.1\.15
DEST_KEY = queue
FORMAT = nullQueue

I still see events from 192.168.1.15 coming in.Any idea?

Tags (1)
0 Karma
Highlighted

Re: filtering off events based based on ip address

Path Finder

Stanza name in props.conf is incorrect: you've got to prepend it with "source::".

See props.conf spec for more info

[<spec>]
* This stanza enables properties for a given <spec>. 
* A props.conf file can contain multiple stanzas for any number of different <spec>.
* Follow this stanza name with any number of the following attribute/value pairs.
* If you do not set an attribute for a given <spec>, the default is used.

<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host for an event.
3. source::<source>, where <source> is the source for an event.
[...]
0 Karma
Highlighted

Re: filtering off events based based on ip address

Contributor

The file path should be "C:\http server\logs\web-access.log". There's a space between "http" and "server". I've amended my post.

0 Karma
Highlighted

Re: filtering off events based based on ip address

Contributor

I've also tried to specify this in the stanza name in props.conf:
[source::C:\http server\logs\web-access.log]..but not working..Could it be due to the space between http and server?

0 Karma
Highlighted

Re: filtering off events based based on ip address

Contributor

also to mention,my splunk server is receiving events from the web server,where splunk is installed as a forwarder and configured to read apache log files locally before forwarding them.

0 Karma
Highlighted

Re: filtering off events based based on ip address

Contributor

any idea what's wrong with my config?

0 Karma
Highlighted

Re: filtering off events based based on ip address

Path Finder

If the instance monitoring the log is not a light-weight forwarder, then all transforms should be done there. In such a case your config will have no effect on the indexer.

0 Karma