Splunk Search

All events except one to Null

jordanperks
Path Finder

I am getting millions of events/day that I need to send to the null queue. I need to match all events with the exception of anything that says "Windows XP" and send them to null. Any thoughts on writing this?

My initial thought would be to write something that matches Windows XP and sends it to a specific index and put that above another entry that sends everything to Null. Thoughts?

Tags (2)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi jordanperks,

take a look at the second example from the docs about filter events and sent to queue, basically it is the other way around. In this example you will keep only sshd events from the messages file. The order of the transforms in props.conf matters. The null queue transform must come first; if it comes later, it will invalidate the previous transform and route all events to the null queue.

In props.conf:

[source::/var/log/messages]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = \[sshd\]
DEST_KEY = queue
FORMAT = indexQueue

hope this helps ...

cheers, MuS

View solution in original post

linu1988
Champion

Hello,
You need to use the props.conf and transforms.conf. Should be put in indexer.

Props.conf:

[Source_Name]
TRANSFORMS-log=xp-redirect

Transforms.conf:

[xp-redirect]
REGEX=\s*Windows XP\s*
DEST_KEY=queue
FORMAT=nullQueue

Thanks

jordanperks
Path Finder

The REGEX was exactly what I needed, but this filtered out the XP events rather than kept them.

props.conf:

[host::myhostname]
TRANSFORMS-null = hostnull,hostparsing

Transforms.conf:

[hostnull]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[hostparsing]
REGEX=\s*Windows XP\s*
DEST_KEY = queue
FORMAT = indexQueue

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi jordanperks,

take a look at the second example from the docs about filter events and sent to queue, basically it is the other way around. In this example you will keep only sshd events from the messages file. The order of the transforms in props.conf matters. The null queue transform must come first; if it comes later, it will invalidate the previous transform and route all events to the null queue.

In props.conf:

[source::/var/log/messages]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = \[sshd\]
DEST_KEY = queue
FORMAT = indexQueue

hope this helps ...

cheers, MuS

View solution in original post

jordanperks
Path Finder

This worked perfectly.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!