Solved: Using regex, how to exclude any events in the host...

some_guy · ‎06-14-2018

One big syslog file I need to index (monitor) daily. Many hosts log to this syslog file.

I want to exclude any events that contain 'server1' in the host field, and keep the rest.

On the receiving indexer, the following is in /opt/splunk/etc/system/local

props.conf:

[source::/syslog/Security/*.log]
TRANSFORMS-set = setnull, setparsing

transforms.conf:

[setnull]
REGEX = server1
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

Where might I have gone wrong? This does not seem to work.

lacastillo · ‎06-14-2018

Make sure to set your SOURCE_KEY = MetaData:Host under the [setnull] stanza in transforms.conf. That will get rid of the unwanted events, you shouldn't need the second stanza as the rest of the events that don't contain "server1" in the host field should get ingested per the rest of the parameters set in props.conf.

let me know if that helps.

View solution in original post

lacastillo · ‎06-14-2018

Make sure to set your SOURCE_KEY = MetaData:Host under the [setnull] stanza in transforms.conf. That will get rid of the unwanted events, you shouldn't need the second stanza as the rest of the events that don't contain "server1" in the host field should get ingested per the rest of the parameters set in props.conf.

let me know if that helps.

some_guy · ‎06-14-2018

Alleluia, its finally working!!! The key is, as you said:

SOURCE_KEY = MetaData:Host

THANKS!

lacastillo · ‎06-14-2018

You're very welcome!

Using regex, how to exclude any events in the host field and keep the rest?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!