I'm trying to set up my Splunk instance so that it filters out some lines and then leaves everything else. The lines that I'd like to remove contain one of the following values:
To filter out these lines, I added the following sections to my props.conf and transform.conf files
[cisco:asa] TRANSFORMS-null= setnull
[setnull] REGEX = %ASA-6-3020(13|14|15|16|20|21) DEST_KEY = queue FORMAT = nullQueue
But for some reason, syslog lines containing values other than what was listed above are being removed as well. Is there a change that I should make to my regular expression in order to get things working correctly?
I can't find anything major wrong in your regex. Except may be escape % using \%
REGEX = \%ASA-6-3020(13|14|15|16)
Nothing weird but try adding another rule to your configuration to see what happens.
[cisco:asa] TRANSFORMS-null= setnull, not_filtered [setnull] REGEX = %ASA-6-3020(13|14|15|16|20|21) DEST_KEY = queue FORMAT = nullQueue [not_filtered] REGEX = . DEST_KEY = queue FORMAT = indexQueue
Hope it helps.
Thanks for your feedback. What advantage would this type of setup have over what I'm currently using?
a long shot, but is it possible that you have another stanza named setnull in a different transforms.conf that is winning the conflict? Maybe btool could be a quick check
splunk btool transforms list setnull --debug
Your config must be applied on the parsing layer, so if there are heavy weight forwarder along the way the
transforms.conf must be put on them,. See the docs for details about this http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationparametersandthedatapipeline#P...
Another thing to remember is that you need to restart your Splunk instance after you changed those config files.
Regarding the regex one thing that will speed it up, is to put the last two digits in a non-capturing group like this:
Works faster on regex101.com.
Hope this helps ...
Also, only post-deploy, post-restart events will be effected (old events will stay broken).
sorry about taking so long to respond, but thanks! things seem to be working properly now