Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using regex, how to exclude any events in the host field and keep the rest?

some_guy
Path Finder
‎06-14-2018 10:29 AM

One big syslog file I need to index (monitor) daily. Many hosts log to this syslog file.

I want to exclude any events that contain 'server1' in the host field, and keep the rest.

On the receiving indexer, the following is in /opt/splunk/etc/system/local

props.conf:

[source::/syslog/Security/*.log]
TRANSFORMS-set = setnull, setparsing

transforms.conf:

[setnull]
REGEX = server1
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue

Where might I have gone wrong? This does not seem to work.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lacastillo
Path Finder
‎06-14-2018 11:44 AM

Make sure to set your SOURCE_KEY = MetaData:Host under the [setnull] stanza in transforms.conf. That will get rid of the unwanted events, you shouldn't need the second stanza as the rest of the events that don't contain "server1" in the host field should get ingested per the rest of the parameters set in props.conf.

let me know if that helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lacastillo
Path Finder
‎06-14-2018 11:44 AM

Make sure to set your SOURCE_KEY = MetaData:Host under the [setnull] stanza in transforms.conf. That will get rid of the unwanted events, you shouldn't need the second stanza as the rest of the events that don't contain "server1" in the host field should get ingested per the rest of the parameters set in props.conf.

let me know if that helps.

0 Karma
Reply
Solved! Jump to solution

some_guy
Path Finder
‎06-14-2018 12:07 PM

Alleluia, its finally working!!! The key is, as you said:

SOURCE_KEY = MetaData:Host

THANKS!

0 Karma
Reply
Solved! Jump to solution

lacastillo
Path Finder
‎06-14-2018 12:09 PM

You're very welcome!

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top