Re: black hole

jcampbell1977 · ‎09-02-2020

I am attempting to black hole some data. It is based off simple strings, but my regex is not working.

1st. I want to remove all events that contain "somename@google.com"

props: sourcetype=ipstuff

[ipstuff]
TRANSFORMS-filter-events = ipstuff_drop_event

Transforms:

[ipstuff_drop_event]
REGEX = somename\@\google\.\com
DEST_KEY = queue
FORMAT = nullQueue

2nd. I want to remove all event that contain the string "totalamountsystem".

props: sourcetype=ds:fip

[ds:fip]
TRANSFORMS-filter-events=totalamountsystemDrop

Transforms:

[totalamountsystemDrop]
REGEX = totalamountsystem
DEST_KEY = queue
FORMAT = nullQueue

What am I missing here?

isoutamo · ‎09-02-2020

Hi

Are you running these on HF or indexer?

in the 1st case your regex should be

REGEX = somename@google\.com

and 2nd

try

REGEX = .*totalamountsystem.*

if there could be any non breaker character within that world

r. Ismo

jcampbell1977 · ‎09-03-2020

I am performing on an indexer and these logs are still getting indexed after applying these changes. Do I need to adjust the sourcetype definition in the stanza?

isoutamo · ‎09-03-2020

There is no HF before indexer? And you have restarted indexer after change?

Sourcetype names are correct.

black hole

administration

configuration

other

troubleshooting

using Splunk Enterprise

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?