Splunk Enterprise

Help filtering data to nullQueue

aaronbarrett
Engager

Good day,

This is my first time trying to filter data with props.conf/transform.conf.  Sorry if this post is in the wrong location.

This is on a standalone Windows Splunk 8.0.3 box.

I have placed the props.conf/transform.conf in the C:\Program Files\Splunk\etc\system\local directory.

The data I want to filter out is the Rhttpproxy data from an ESXi host.

<167>2020-11-20T15:12:26.668Z ESX01.test.com Rhttpproxy: verbose rhttpproxy[2101380] [Originator@6876 sub=Proxy Req 11290] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x0000005839540e50] _serverNamespace = /vpxa action = Allow _port = 8089

host = 192.168.10.10
process = Rhttpproxy
source = tcp:514
sourcetype = syslog
===========================
My current config is:

props.conf
[source::tcp:514]
TRANSFORMS-null = setnull

transform.conf
[setnull]
REGEX = rhttpproxy
DEST_KEY = queue
FORMAT = nullQueue
================================
Things I have tried
--
[host::192.168.10.10]
TRANSFORMS-null = setnull
--
[host::192\.168\.10\.10]
TRANSFORMS-null = setnull
--
[syslog]
TRANSFORMS-null = setnull
--
[setnull]
REGEX = verbose\srhttpproxy
DEST_KEY = queue
FORMAT = nullQueue
--
[setnull]
SOURCE_KEY = field:process
REGEX = Rhttpproxy
DEST_KEY = queue
FORMAT = nullQueue
--

I have read the documentation several times, and I am not just understanding it.
https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf
https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Propsconf

Thanks in advance.
Aaron

 

 

Labels (1)
0 Karma
1 Solution

aaronbarrett
Engager

I'm an idiot.  It's transforms.conf, not transform.conf.
Fixing.....

View solution in original post

0 Karma

aaronbarrett
Engager

I'm an idiot.  It's transforms.conf, not transform.conf.
Fixing.....

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...