Splunk Search

How to edit my regex to filter out images in Apache logs from being indexed?

dmccabe2
New Member

Hi,

We have a large amount of data in the Apache log files, and we do not want images to be indexed.

How do I match GET /pictures and filter this out from being indexed?

//SAMPLE LOG

54.13.26.10 - - [07/Oct/2015:08:42:06 +0000] "GET /pictures/cco/4194417.jpg?1444207325625 HTTP/1.1" 200 1472 "https://www.mydomain.com/osites/t/ion/Nom?action=ActionNomOpen&client=cco&browserId=wn-1444206953462-0.3289887811175155" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0" **4739**

//REGEX (Displays IP part)

(?:(?<!\d)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?!\d))

Thank you,
Darren.

0 Karma
1 Solution

krish3
Contributor

You can do this by editing props and transforms.conf

In props.conf set the TRANSFORMS-null attribute:

[source::/path/to/your/access.log*]
TRANSFORMS-null= setnull

And in transforms.conf add these lines

[setnull]
REGEX = \"GET\s\/pictures
DEST_KEY = queue
FORMAT = nullQueue

Thanks,

And let me know how it goes.

View solution in original post

0 Karma

krish3
Contributor

You can do this by editing props and transforms.conf

In props.conf set the TRANSFORMS-null attribute:

[source::/path/to/your/access.log*]
TRANSFORMS-null= setnull

And in transforms.conf add these lines

[setnull]
REGEX = \"GET\s\/pictures
DEST_KEY = queue
FORMAT = nullQueue

Thanks,

And let me know how it goes.

0 Karma

dmccabe2
New Member

Many thanks,

I will try it

0 Karma

somesoni2
Revered Legend
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...