Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

forward specified events to reciever

khanlarloo
Explorer
‎08-18-2018 04:04 AM

i need only recieve events with action=blocked from farwrders,

my logs are :
Aug 18 12:56:13 192.168.X.X date=2018-08-18 time=12:50:36 devname="XXX" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1534580436 srcip=192.168.x.x srcname="SPLUNK" srcport=138 srcintf="internal" srcintfrole="lan" dstip=192.168.x.x dstport=138 dstintf=unknown-0 dstintfrole="undefined" sessionid=76899473 proto=17 action="deny" policyid=0 policytype="local-in-policy" service="udp/138" dstcountry="Reserved"

i config my props.conf:

[host::192.168.X.X]
TRANSFORMS-null= setnull,setparsing

and transforms.conf

[setnull]
REGEX = .*
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = (?m)^action=(blocked)
DEST_KEY = queue
FORMAT = indexQueue

but when i do this forwarder doesn't receive any logs from my device,can you tell me where is my mistake?

Tags (1)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-18-2018 09:33 AM

Your regex in the setnull is too broad. .* will match everything. Thus sending everything to null queue, and never to indexes.

Your regex in setparsing is interesting.

REGEX = (?m)^action=(blocked)

This would only match events that begin with "action=blocked", but i dont understand why you have a capture group around (blocked).

0 Karma
Reply

khanlarloo
Explorer
‎08-18-2018 11:42 AM

i have problem when i do this i don't receive any logs from my device in forwarder
where is my mistake? is this configuration right?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-18-2018 12:52 PM

What are you trying to do?

0 Karma
Reply

khanlarloo
Explorer
‎08-19-2018 08:49 PM

i have one HF and i want to send specific field from my HF to receiver.
the field in my HF is action and i want HF just send field action=block to my receiver.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-20-2018 04:53 AM

Try changing transforms to this

 [setnull]
 REGEX = .*
 DEST_KEY = queue
 FORMAT = nullQueue

 [setparsing]
 REGEX = action\=blocked
 DEST_KEY = queue
 FORMAT = indexQueue
0 Karma
Reply

khanlarloo
Explorer
‎08-25-2018 10:56 PM

i do this in my HF but it doesn't work.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-26-2018 04:30 AM

In your transforms, try putting nullQueue 2nd

TRANSFORMS-null= setparsing, setnull

Make sure you reload the data to see the effect

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...