Splunk Search

All events except one to Null

Path Finder

I am getting millions of events/day that I need to send to the null queue. I need to match all events with the exception of anything that says "Windows XP" and send them to null. Any thoughts on writing this?

My initial thought would be to write something that matches Windows XP and sends it to a specific index and put that above another entry that sends everything to Null. Thoughts?

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi jordanperks,

take a look at the second example from the docs about filter events and sent to queue, basically it is the other way around. In this example you will keep only sshd events from the messages file. The order of the transforms in props.conf matters. The null queue transform must come first; if it comes later, it will invalidate the previous transform and route all events to the null queue.

In props.conf:

[source::/var/log/messages]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = \[sshd\]
DEST_KEY = queue
FORMAT = indexQueue

hope this helps ...

cheers, MuS

View solution in original post

Champion

Hello,
You need to use the props.conf and transforms.conf. Should be put in indexer.

Props.conf:

[Source_Name]
TRANSFORMS-log=xp-redirect

Transforms.conf:

[xp-redirect]
REGEX=\s*Windows XP\s*
DEST_KEY=queue
FORMAT=nullQueue

Thanks

Path Finder

The REGEX was exactly what I needed, but this filtered out the XP events rather than kept them.

props.conf:

[host::myhostname]
TRANSFORMS-null = hostnull,hostparsing

Transforms.conf:

[hostnull]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

[hostparsing]
REGEX=\sWindows XP\s
DEST_KEY = queue
FORMAT = indexQueue

0 Karma

SplunkTrust
SplunkTrust

Hi jordanperks,

take a look at the second example from the docs about filter events and sent to queue, basically it is the other way around. In this example you will keep only sshd events from the messages file. The order of the transforms in props.conf matters. The null queue transform must come first; if it comes later, it will invalidate the previous transform and route all events to the null queue.

In props.conf:

[source::/var/log/messages]
TRANSFORMS-set= setnull,setparsing

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = \[sshd\]
DEST_KEY = queue
FORMAT = indexQueue

hope this helps ...

cheers, MuS

View solution in original post

Path Finder

This worked perfectly.

0 Karma