Splunk Search
Highlighted

How do I exclude everything but certain events at my heavy forwarder?

Path Finder

At my HF I want to exclude everything BUT three websites. I have been playing with this for days now, that's what she said, with no luck. Below is what I have in transforms.conf and props.conf

Transforms.conf

[setnull]

REGEX = .

DEST_KEY = queue

FORMAT = nullQueue

[keep1]

REGEX = \[google.com\]

DEST_KEY = queue

FORMAT = indexQueue

[keep2]

REGEX = \[nascar.com\]

DEST_KEY = queue

FORMAT = indexQueue

[keep3]

REGEX = \[cnn.com\]

DEST_KEY = queue

FORMAT = indexQueue

Props.conf

[source::tcp:9999]

TRANSFORMS-set= setnull,keep1,keep2,keep3

With these settings, we are still indexing ALL websites coming in on that port including the three listed. We are trying to ONLY keep google, nascar and cnn.

Highlighted

Re: How do I exclude everything but certain events at my heavy forwarder?

Splunk Employee
Splunk Employee

Are you trying to match the square brackets on [nascar] etc? You'll need to escape the bracket it so it will look like this:

REGEX=\[nascar\]

Right now I don't think your regex is working.

0 Karma
Highlighted

Re: How do I exclude everything but certain events at my heavy forwarder?

Path Finder

I do have the "\" in all of the REGEX to escape the brackets. For some reason it did not show up in this post. I have also tried it with no brackets "REGEX= nascar" and that did not work either....

0 Karma
Highlighted

Re: How do I exclude everything but certain events at my heavy forwarder?

Path Finder

Is my spacing correct?

0 Karma
Highlighted

Re: How do I exclude everything but certain events at my heavy forwarder?

Legend

Putting quotation marks in there will make the regex engine actually look for quotation marks, not escape your whole string. You need to escape the brackets like sdaniels shows in his example.

0 Karma
Highlighted

Re: How do I exclude everything but certain events at my heavy forwarder?

Path Finder

There are no quotatino marks in my config. I should not have put those in my reply. The forwardslash is not showing up in my posts for some reason.

Any other ideas?

0 Karma
Highlighted

Re: How do I exclude everything but certain events at my heavy forwarder?

Legend

Did you try this with JUST the setnull transform to check that your props.conf settings are actually applied?

0 Karma
Highlighted

Re: How do I exclude everything but certain events at my heavy forwarder?

Path Finder

I will try that but before I do does my Source in Props.conf look correct? I would hate to test this and not have it apply only to the port we are working with.

Highlighted

Re: How do I exclude everything but certain events at my heavy forwarder?

Legend

It looks correct.

Also, do you have any sample events so we can see what exactly you're matching against?

0 Karma
Highlighted

Re: How do I exclude everything but certain events at my heavy forwarder?

Path Finder

I tried it with JUST the setnull transform and that is working. That stopped all data coming in from the port.