- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Re: Keep specific events and discard the rest
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Keep specific events and discard the rest
Hello
I want to index the events in the firewalls log based in the alert level and the virtual domain in witch they have been generated. I have followed the guide in https://docs.splunk.com/Documentation/Splunk/7.0.2/Forwarding/Routeandfilterdatad#Perform_selective_...
but the indexer is indexing all the events not only the events that match the regular expression. I think that the setnull stanza may not be working. But I am not sure how to fix it
-This is the contain in props.conf
[source::/opt/LOGs/firewalls]
TRANSFORMS-set= setnull,setindexone,setindextwo,setindexthree,setindexfour
-And this is the contains in transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setindexone]
REGEX = level="(error|critical|alert|emergency)".*(vd="one")
DEST_KEY = queue
FORMAT = indexQueue
[setindextwo]
REGEX = level="(critical|alert|emergency)".*(vd="two")
DEST_KEY = queue
FORMAT = indexQueue
[setindexthree]
REGEX = level="(critical|alert|emergency)".*(vd="three")
DEST_KEY = queue
FORMAT = indexQueue
[setindexfour]
REGEX = level="(alert|emergency)".*(vd="four")
DEST_KEY = queue
FORMAT = indexQueue
-Also, I have checked with the command "btool --app=Splunk_TA_fortinet_fortigate transforms list and props list" that the .conf files configuration is being loaded.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, now it is working. I have added the props.conf and tranforms.conf to the forwarder (/opt/splunk/etc/system/local/) and it is working.
For future similar issues: How can I check if the input data is being already parsed by the forwarder before reaching the indexer? As I have read if the indexer receives the data already parsed by the forwarders it will not transform and filter it and will be directly indexed
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If that forwarder is a universal forwarder as you claimed, it doesn't make too much sense that this fixes it...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@yosoypako If your problem is resolved, please accept the answer to help future readers.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
If i use the btool command (splunk.exe cmd btool props list fgt_utm --debug) I can see that the setnull stanza that is being chosen is this one, with REGEX = .
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can you see that from a btool on props?
Can you run a btool on transforms and grep it for setnull, to see if there are conflicting setnull stanzas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you trying to send events to diff indexes based on the values of vd? If so, you would need DEST_KEY = _MetaData:Index and FORMAT = yourindexname
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I want to send all the logs from the different vd to the same index but I want to filter witch alert level messages are going to be indexed from each vd. So in one index I could index only the alert and emergency level but in other vd the critical, alert nad emergency levels.
I have not written this in the initial post but there are two different splunk machine in this set up an indexer and a universal forwarder. I am editing the props.conf and transforms.conf files only on the indexer, not on the forwarder. How can I confirm that the forwarder is not parsing any event?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If there is only a UF and an indexer involved, no heavy forwarder, then the indexer should indeed be the right place for this config.
"setnull" is a very generic name though. Any chance you have another transforms stanza named that way, that happens to take precedence and has a more specific REGEX setting, that doesn't match your firewall data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I have tried to use the sourcetype in the props.conf file. But it is still not working.
-If I use the btool *cmd btool props list * it shows:
TRANSFORMS =
TRANSFORMS-set = setnull,setindexone,setindextwo,setindexthree,setindexfour
-And If I use the btool command with both the app and the sourcetype it shows:
TRANSFORMS-set = setnull,setindexone,setindextwo,setindexthree,setindexfour
Any ideas why it is not filtering the events
Regards.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
