Solved: Re: How to filter out IPs from being indexed?

mcbradford · ‎01-26-2018

I am not good at regex, so I need help filtering some IPs from being indexed.

raw event looks like this:

192.168.184.25 - - [26/Jan/2018:10:46:06 -0500] "HEAD / HTTP/1.0" 302 0 "-" "avi/1.0" "-" 192.168.184.26 - - [26/Jan/2018:10:46:06 -0500] "HEAD / HTTP/1.0" 302 0 "-" "avi/1.0" "-"

I also have data in the dataset coming from 23.99., so I want to exclude all data from the 23.99. range.

I was trying the following in transforms.conf on my Heavy Forwarder, but the events are still coming in. note - I just started with the 192.168.184.25

transforms.conf

[setnull]
REGEX = \,192\.168\.184\.25\,
DEST_KEY = queue
FORMAT = nullQueue

props.conf

[source::/var/log/nginx/access.log]
TRANSFORMS-null= setnull

mayurr98 · ‎01-26-2018

try this

[setnull]
REGEX = 192\.168\.184\.25
DEST_KEY = queue
FORMAT = nullQueue

[source::/var/log/nginx/access.log]
TRANSFORMS-null = setnull

let me know if this helps!

View solution in original post

mayurr98 · ‎01-26-2018

try this

[setnull]
REGEX = 192\.168\.184\.25
DEST_KEY = queue
FORMAT = nullQueue

[source::/var/log/nginx/access.log]
TRANSFORMS-null = setnull

let me know if this helps!

mcbradford · ‎01-26-2018

This worked. If I wanted to exclude 192.168.184.25 and 192.168.184.26, could I do it with one statement?

I tired 192.168.184.* and this did not work.

mayurr98 · ‎01-26-2018

Try this

192\.168\.184\.(25|26)

How to filter out IPs from being indexed?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?