Splunk Enterprise

black hole

jcampbell1977
Explorer

I am attempting to black hole some data. It is based off simple strings, but my regex is not working. 

1st. I want to remove all events that contain "somename@google.com"

props: sourcetype=ipstuff

[ipstuff]
TRANSFORMS-filter-events = ipstuff_drop_event

Transforms: 

[ipstuff_drop_event]
REGEX = somename\@\google\.\com
DEST_KEY = queue
FORMAT = nullQueue

2nd. I want to remove all event that contain the string "totalamountsystem".

props: sourcetype=ds:fip

[ds:fip]
TRANSFORMS-filter-events=totalamountsystemDrop

Transforms:

[totalamountsystemDrop]
REGEX = totalamountsystem
DEST_KEY = queue
FORMAT = nullQueue

 

What am I missing here?

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

Are you running these on HF or indexer? 

in the 1st case your regex should be

REGEX = somename@google\.com

and 2nd

try

REGEX = .*totalamountsystem.*

if there could be any non breaker character within that world

r. Ismo

0 Karma

jcampbell1977
Explorer

I am performing on an indexer and these logs are still getting indexed after applying these changes. Do I need to adjust the sourcetype definition in the stanza?

0 Karma

isoutamo
SplunkTrust
SplunkTrust
There is no HF before indexer? And you have restarted indexer after change?

Sourcetype names are correct.
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...