Solved: Re: Using regex, how to exclude any events in the ...

some_guy · ‎06-14-2018

One big syslog file I need to index (monitor) daily. Many hosts log to this syslog file.

I want to exclude any events that contain 'server1' in the host field, and keep the rest.

On the receiving indexer, the following is in /opt/splunk/etc/system/local

props.conf:

[source::/syslog/Security/*.log]
TRANSFORMS-set = setnull, setparsing

transforms.conf:

[setnull]
REGEX = server1
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

Where might I have gone wrong? This does not seem to work.

lacastillo · ‎06-14-2018

Make sure to set your SOURCE_KEY = MetaData:Host under the [setnull] stanza in transforms.conf. That will get rid of the unwanted events, you shouldn't need the second stanza as the rest of the events that don't contain "server1" in the host field should get ingested per the rest of the parameters set in props.conf.

let me know if that helps.

View solution in original post

lacastillo · ‎06-14-2018

Make sure to set your SOURCE_KEY = MetaData:Host under the [setnull] stanza in transforms.conf. That will get rid of the unwanted events, you shouldn't need the second stanza as the rest of the events that don't contain "server1" in the host field should get ingested per the rest of the parameters set in props.conf.

let me know if that helps.

some_guy · ‎06-14-2018

Alleluia, its finally working!!! The key is, as you said:

SOURCE_KEY = MetaData:Host

THANKS!

lacastillo · ‎06-14-2018

You're very welcome!

Using regex, how to exclude any events in the host field and keep the rest?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases