Splunk Search

SC4S: version 2 filter events not working

jomon_ng
Observer

Hi, I tried to filter events on version 2.30.0 based on v1.110.0 configuration, but it failed to dropped events in version 2. I also have read the document but somehow it still not working. maybe something that I miss out. kindly advise

SC4S V1.110.0

$ cat vendor_product_by_source.csv
f_null_queue,sc4s_vendor_product,"null_queue"

$ cat vendor_product_by_source.conf
filter f_null_queue {
host(10.14.1.98)
or host(10.14.1.99)
or host("uk-test-intfw*" type(glob))
};

Result: Events from above host has been dropped and didn’t see it show in Splunk

SC4S v2.30.0
$ cat vendor_product_by_source.csv
f_null_queue,sc4s_vendor_product,"null_queue"

$ cat vendor_product_by_source.conf
filter f_null_queue {
host(10.14.1.98)
or host(10.14.1.99)
or host("uk-test-intfw*" type(glob))
};

Result: With the same statement as V1, events still continues flow into Splunk without filter.

I have follow the document and make changed as below

$ cat vendor_product_by_source.csv
f_cisco_asa,sc4s_vendor_product,cisco_asa
f_fortinet_fortios,sc4s_vendor_product,fortinet_fortios

$ cat vendor_product_by_source.conf
filter f_cisco_asa {
host(10.14.1.98)
or host(10.14.1.99)
};

filter f_fortinet_fortios {
host(uk-test-intfw*" type(glob))
};

Labels (1)
Tags (2)
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...