Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to edit my props and transforms.conf to filter a subnet of logs from a destination IP address field?

takarthik
New Member
‎06-10-2016 12:25 AM

I am new to this concept. I am trying to filter the 10.0.0.0/8 subnet of logs from destination IP address field. I am trying to filter the logs in Splunk using props.conf & transforms.conf. Can you please help me in confirming if the applied props and transforms are correct, and also please let me know if the REGEX for filtering the destination IP address are correct.

Configurations in the props.conf

[Filter_Logs]
TRANSFORMS-null = null, Filter_Logs

Configurations in the transforms.conf,

[null]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

[Filter_Logs]
REGEX = \|dest_ip\=^10.0.0.0/8$\|
DEST_KEY = queue
FORMAT = nullQueue

Thanks in advance.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-10-2016 05:46 AM

What does your data look like?

Even without seeing sample data, though, it's fairly certain your regex string will not produce the result you seek. The dots and slash within the IP address must be escaped. The ^ and $ anchors make no sense the way they are currently used.

Go to regex101. com to experiment with regex strings until you find what works with your data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

takarthik
New Member
‎06-10-2016 07:14 AM

Thanks for your response Rich.

I modified the REGEX accordingly and it matched in REGEX101.com

^10.45.(0.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])).([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))$

On applying that in Splunk under transforms.conf that is not taking any effect.

Not sure if I am missing anything in the props and transforms.

transforms.conf

[setnull]
REGEX = \|dest\=^10.45.(0.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])).([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))$\|
REGEX = \|src\=^10.255.(0.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])).([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))$\|
DEST_KEY = queue
FORMAT = nullQueue

props.conf

[sourcetype name]
TRANSFORMS-set = setnull

Please help.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-11-2016 01:07 PM

You modified the regex strings, but didn't address the concerns I raised. The regexes are just more complex with the same problems. I suggest you get rid of the '^' and '$' characters. Then replace . with \..

I could be more specific with some sample data (sanitized, if necessary).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...