Re: black hole

jcampbell1977 · ‎09-02-2020

I am attempting to black hole some data. It is based off simple strings, but my regex is not working.

1st. I want to remove all events that contain "somename@google.com"

props: sourcetype=ipstuff

[ipstuff]
TRANSFORMS-filter-events = ipstuff_drop_event

Transforms:

[ipstuff_drop_event]
REGEX = somename\@\google\.\com
DEST_KEY = queue
FORMAT = nullQueue

2nd. I want to remove all event that contain the string "totalamountsystem".

props: sourcetype=ds:fip

[ds:fip]
TRANSFORMS-filter-events=totalamountsystemDrop

Transforms:

[totalamountsystemDrop]
REGEX = totalamountsystem
DEST_KEY = queue
FORMAT = nullQueue

What am I missing here?

isoutamo · ‎09-02-2020

Hi

Are you running these on HF or indexer?

in the 1st case your regex should be

REGEX = somename@google\.com

and 2nd

try

REGEX = .*totalamountsystem.*

if there could be any non breaker character within that world

r. Ismo

jcampbell1977 · ‎09-03-2020

I am performing on an indexer and these logs are still getting indexed after applying these changes. Do I need to adjust the sourcetype definition in the stanza?

isoutamo · ‎09-03-2020

There is no HF before indexer? And you have restarted indexer after change?

Sourcetype names are correct.

black hole

administration

configuration

other

troubleshooting

using Splunk Enterprise

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!