Hello Splunkers,
I'm having a little difficulty getting a regex on Splunk to not index a specifc URL. I tried many types of regexes, but none of them work. Below is the URL:
hxxps://xxcomputer.drmtz.com.br
Could you help me?
thanks.
You could do this in props.conf:
[your_sourcetype]
...
TRANSFORMS-null = filter_url
And in transforms.conf:
[filter_url]
REGEX = https://\d+computer.drmtz.com.br
DEST_KEY = queue
FORMAT = nullQueue
That'll send events containing that URL to /dev/null
. I've assumed that the xx
stands for a number. Note, this will catch and drop every event containing that string anywhere in its raw text.
Remember to restart your indexers after making this change.