Splunk Enterprise

black hole

jcampbell1977
Explorer

I am attempting to black hole some data. It is based off simple strings, but my regex is not working. 

1st. I want to remove all events that contain "somename@google.com"

props: sourcetype=ipstuff

[ipstuff]
TRANSFORMS-filter-events = ipstuff_drop_event

Transforms: 

[ipstuff_drop_event]
REGEX = somename\@\google\.\com
DEST_KEY = queue
FORMAT = nullQueue

2nd. I want to remove all event that contain the string "totalamountsystem".

props: sourcetype=ds:fip

[ds:fip]
TRANSFORMS-filter-events=totalamountsystemDrop

Transforms:

[totalamountsystemDrop]
REGEX = totalamountsystem
DEST_KEY = queue
FORMAT = nullQueue

 

What am I missing here?

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

Are you running these on HF or indexer? 

in the 1st case your regex should be

REGEX = somename@google\.com

and 2nd

try

REGEX = .*totalamountsystem.*

if there could be any non breaker character within that world

r. Ismo

0 Karma

jcampbell1977
Explorer

I am performing on an indexer and these logs are still getting indexed after applying these changes. Do I need to adjust the sourcetype definition in the stanza?

0 Karma

isoutamo
SplunkTrust
SplunkTrust
There is no HF before indexer? And you have restarted indexer after change?

Sourcetype names are correct.
0 Karma
Get Updates on the Splunk Community!

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...

Thank You for Celebrating CX Day with Splunk!

Yesterday the entire team at Splunk + Cisco joined the global celebration of CX Day - celebrating our ...