Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

filter events on indexer

fernandoandre
Communicator
‎01-05-2012 04:21 AM

I want to filter some types of events at my indexer, that are received from several universal forwarders.

I try something similar like this:

http://splunk-base.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk

However I'm not receiving any events on my index.

  • Am I missing some configuration or some config file?
  • How do filter and index only those events on the regex?
  • The target index only needs to be on the univ forwarder inputs.conf file right?
  • The dropped events sent to nullQueue are never indexed correct? They are dropped before the index process..?

Any help is much appreciated.

My configuration files are the following:

**

INDEXER:

**

props.conf

[WinEventLog:Security]

TRANSFORMS-set= setnull,setparsing

transforms.conf

[setnull]

REGEX = .

DEST_KEY = queue

FORMAT = nullQueue

[setparsing]

REGEX = (?msi)^EventCode=552|538|576|528|529).*

DEST_KEY = queue

FORMAT = indexQueue (I don't fully understand the purpose of this field! Should it have the target index?)

Univ. Forwarder

inputs.conf

[WinEventLog:Security]

disabled = 0

index = myIndex

start_from = oldest

outputs.conf

[tcpout]

defaultGroup=(myServer)_9997

[tcpout:(myServer)_9997]

server=(myServer):9997

useACK = true

[tcpout-server://(myServer):9997]

useACK = true

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BobM
Builder
‎01-05-2012 05:17 AM

There are a couple of problems with this.

First the regex in setparsing is wrong. You should start the list of numbers with an open brace and don't need the terminating .*

REGEX = (?msi)^EventCode=(552|538|576|528|529)

Next, you have your regex in setnull to match everything. This will send it all to the null queue. Then you pull back (if the regex is fixed) the ones you want. This is inefficient so you want to create a regex to catch only what you want to throw away.

I would do this as follows:-

On the indexer

props.conf

[WinEventLog:Security]
TRANSFORMS-set= setnull

transforms.conf

[setnull]
REGEX = (?msi)^EventCode=(?!(552|538|576|528|529)\b)
DEST_KEY = queue
FORMAT = nullQueue

The ?! in this regex is sayng NOT what is in this bracket and the \b is making sure it doesn't match 5221, 5385 etc.

By the way, the FORMAT = indexQueue is telling splunk to put the event back in the indexing queue and it will use whatever index was defined in inputs.conf

Bob

View solution in original post

Reply
Solved! Jump to solution

amit2301
New Member
‎09-26-2017 12:41 AM

Hi ,
I am trying to nullify the windows event log which are of "type=Information" and i want only the events having errors and warnings.
i am not able to achieve kindly help .
I am using below:

props.conf

[WinEventLog:Application]
TRANSFORMS-set= setnull

transforms.conf

[setnull]
REGEX = "Type=Information"
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
Reply
Solved! Jump to solution
Solution

BobM
Builder
‎01-05-2012 05:17 AM

There are a couple of problems with this.

First the regex in setparsing is wrong. You should start the list of numbers with an open brace and don't need the terminating .*

REGEX = (?msi)^EventCode=(552|538|576|528|529)

Next, you have your regex in setnull to match everything. This will send it all to the null queue. Then you pull back (if the regex is fixed) the ones you want. This is inefficient so you want to create a regex to catch only what you want to throw away.

I would do this as follows:-

On the indexer

props.conf

[WinEventLog:Security]
TRANSFORMS-set= setnull

transforms.conf

[setnull]
REGEX = (?msi)^EventCode=(?!(552|538|576|528|529)\b)
DEST_KEY = queue
FORMAT = nullQueue

The ?! in this regex is sayng NOT what is in this bracket and the \b is making sure it doesn't match 5221, 5385 etc.

By the way, the FORMAT = indexQueue is telling splunk to put the event back in the indexing queue and it will use whatever index was defined in inputs.conf

Bob

Reply
Solved! Jump to solution

fernandoandre
Communicator
‎01-05-2012 08:08 AM

I have understand more clearly the mechanism with your explanation than with documentation and other posts.

I have tested for 1hour now and it works perfectly.

Thank you for your assistance.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...