Re: black hole

jcampbell1977 · ‎09-02-2020

I am attempting to black hole some data. It is based off simple strings, but my regex is not working.

1st. I want to remove all events that contain "somename@google.com"

props: sourcetype=ipstuff

[ipstuff]
TRANSFORMS-filter-events = ipstuff_drop_event

Transforms:

[ipstuff_drop_event]
REGEX = somename\@\google\.\com
DEST_KEY = queue
FORMAT = nullQueue

2nd. I want to remove all event that contain the string "totalamountsystem".

props: sourcetype=ds:fip

[ds:fip]
TRANSFORMS-filter-events=totalamountsystemDrop

Transforms:

[totalamountsystemDrop]
REGEX = totalamountsystem
DEST_KEY = queue
FORMAT = nullQueue

What am I missing here?

isoutamo · ‎09-02-2020

Hi

Are you running these on HF or indexer?

in the 1st case your regex should be

REGEX = somename@google\.com

and 2nd

try

REGEX = .*totalamountsystem.*

if there could be any non breaker character within that world

r. Ismo

jcampbell1977 · ‎09-03-2020

I am performing on an indexer and these logs are still getting indexed after applying these changes. Do I need to adjust the sourcetype definition in the stanza?

isoutamo · ‎09-03-2020

There is no HF before indexer? And you have restarted indexer after change?

Sourcetype names are correct.

black hole

administration

configuration

troubleshooting

using Splunk Enterprise

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation