I have a number of Snort sensors that are sending syslog events to a Splunk forwarder. That forwarder in turn forwards the events to three indexers in a cluster.
Some snort rules are generating useless events where the body is: " |". I ran a search to test that my regex matches: index=ids | rex \_raw="^\s\|$"
and it matches those events.
I created the following in transforms.conf:
[snort_null]
REGEX = "^\s\|$"
DEST_KEY = queue
FORMAT = nullQueue
And in props.conf:
[snort]
TRANSFORMS-null = snort_null
I've applied this to both the forwarder and the indexers in the cluster, but the events keep showing up. I feel like I'm taking crazy pills...
What am I doing wrong here?
Thx.
Craig
Remove the double quotes in transforms.conf - those are necessary for the rex
command because it takes a string, but they aren't part of the regex.
@martin_mueller 's answer should work. Also make sure you apply your changes via cluster master's splunk apply cluster-bundle command.