Solved: Help filtering data to nullQueue

aaronbarrett · ‎11-20-2020

Good day,

This is my first time trying to filter data with props.conf/transform.conf. Sorry if this post is in the wrong location.

This is on a standalone Windows Splunk 8.0.3 box.

I have placed the props.conf/transform.conf in the C:\Program Files\Splunk\etc\system\local directory.

The data I want to filter out is the Rhttpproxy data from an ESXi host.

<167>2020-11-20T15:12:26.668Z ESX01.test.com Rhttpproxy: verbose rhttpproxy[2101380] [Originator@6876 sub=Proxy Req 11290] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x0000005839540e50] _serverNamespace = /vpxa action = Allow _port = 8089

host = 192.168.10.10
process = Rhttpproxy
source = tcp:514
sourcetype = syslog
===========================
My current config is:

props.conf
[source::tcp:514]
TRANSFORMS-null = setnull

transform.conf
[setnull]
REGEX = rhttpproxy
DEST_KEY = queue
FORMAT = nullQueue
================================
Things I have tried
--
[host::192.168.10.10]
TRANSFORMS-null = setnull
--
[host::192\.168\.10\.10]
TRANSFORMS-null = setnull
--
[syslog]
TRANSFORMS-null = setnull
--
[setnull]
REGEX = verbose\srhttpproxy
DEST_KEY = queue
FORMAT = nullQueue
--
[setnull]
SOURCE_KEY = field:process
REGEX = Rhttpproxy
DEST_KEY = queue
FORMAT = nullQueue
--

I have read the documentation several times, and I am not just understanding it.
https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf
https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Propsconf

Thanks in advance.
Aaron

aaronbarrett · ‎11-20-2020

I'm an idiot. It's transforms.conf, not transform.conf.
Fixing.....

View solution in original post

aaronbarrett · ‎11-20-2020

I'm an idiot. It's transforms.conf, not transform.conf.
Fixing.....

Help filtering data to nullQueue

configuration

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?