Splunk Search

How to setup regex to not index a specific URL?

iabreu
New Member

Hello Splunkers,

I'm having a little difficulty getting a regex on Splunk to not index a specifc URL. I tried many types of regexes, but none of them work. Below is the URL:

hxxps://xxcomputer.drmtz.com.br

Could you help me?

thanks.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could do this in props.conf:

[your_sourcetype]
...
TRANSFORMS-null = filter_url

And in transforms.conf:

[filter_url]
REGEX = https://\d+computer.drmtz.com.br
DEST_KEY = queue
FORMAT = nullQueue

That'll send events containing that URL to /dev/null. I've assumed that the xx stands for a number. Note, this will catch and drop every event containing that string anywhere in its raw text.
Remember to restart your indexers after making this change.

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...