Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ingest events with a specific string - remove the rest

schose
Builder
‎12-09-2020 08:16 AM

Hi all,

I'm trying to ingest (multiline) events with the string "public_ip" and remove the rest 

props.conf:

[public_ips]
TRANSFORMS-removeallnonsense = remove_unneeded

 

transforms.conf
[remove_unneeded]
REGEX = (?m)^((?!public_ip).)*$
DEST_KEY = queue
FORMAT = nullQueue
 
When i now try to ingest Data using HEC:

curl -k http://localhost:8088/services/collector -H 'Authorization: Splunk 4f40e8ab-99a6-479f-ba13-7352feb11111' \
-d '{"sourcetype": "public_ips", "event":"foobar"}'

is not indexed - fine.

 

curl -k http://localhost:8088/services/collector -H 'Authorization: Splunk 4f40e8ab-99a6-479f-ba13-7352feb11111' \
-d '{"sourcetype": "public_ips", "event":"foobar public_ip: 1.2.3.4 foobar1"}'

this is indexed - fine

when running: 

curl -k http://localhost:8088/services/collector -H 'Authorization: Splunk 4f40e8ab-99a6-479f-ba13-7352feb11111' \
-d '{"sourcetype": "public_ips", "event":"foobar public_ip: 1.2.3.4 foobar\nline2"}'

This is not indexed - not fine.  It seems i have a regex multiline issue i do not see..

Thanks for your help in advance,

Andreas

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-09-2020 08:35 AM

Hi @schose,

could you share a sample of your logs? in this way I can analyze your regex.

Anyway, try a different approach (as described at https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Filter_event_data_... "take public_ip events and discrd the rest" instead of "discard all not public_ip events"; something like this:

In props.conf:

[public_ips]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = public_ip
DEST_KEY = queue
FORMAT = indexQueue

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-09-2020 08:35 AM

Hi @schose,

could you share a sample of your logs? in this way I can analyze your regex.

Anyway, try a different approach (as described at https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Filter_event_data_... "take public_ip events and discrd the rest" instead of "discard all not public_ip events"; something like this:

In props.conf:

[public_ips]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = public_ip
DEST_KEY = queue
FORMAT = indexQueue

Ciao.

Giuseppe

Reply
Solved! Jump to solution

schose
Builder
‎12-09-2020 08:44 AM

Hi @gcusello ,

I tried to share some demo data within the curl commands. 🙂

Anyway... the example you posted worked for me, awesome!

Thanks and best regards,

Andreas

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-09-2020 08:51 AM

Hi @schose,

good for you.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...