Hi guys
I have a multi tier Splunk implementation as following :
Syslog ----> Heavy-Forwarder ----> Indexer
Universal Forwarder ------> Heavy-Forwarder ----> Indexer
Regarding that i need an event filtering on the HF . The event in question is Cisco ACS event and i want to ignore system statistics logs of mentioned product . So I've build the following configuration :
props.conf
[udp://192.168.110.30:516]
TRANSFORMS-set = Cisco_ACS
tranforms.conf
[Cisco_ACS]
REGEX = System-Stats
DEST_KEY = queue
FORMAT = nullQueue
Following you can see an example of such log :
Jul 2 20:44:02 192.168.110.30 Jul 2 16:14:02 ACS CSCOacs_System_Statistics 0000028700 1 0 2019-07-02 16:14:02.670 +00:00 0000099874 70000 NOTICE System-Stats: ACS Utilization, ACSVersion=acs-5.8.1.4-B.462.x86_64, ConfigVersionId=5, SysStatsUtilizationCpu=5.48%, SysStatsUtilizationNetwork=eth0: rcvd = 10045\; sent = 1547, SysStatsUtilizationMemory=39.72%, SysStatsUtilizationDiskIO=0.74%, SysStatsUtilizationDiskSpace=21.19% /opt/CSCOacs/runtime, SysStatsUtilizationDiskSpace=24.82% /, SysStatsUtilizationDiskSpace=12.35% /boot, SysStatsUtilizationDiskSpace=8.29% /home, SysStatsUtilizationDiskSpace=7.44% /localdisk, SysStatsUtilizationDiskSpace=21.19% /opt, SysStatsUtilizationDiskSpace=6.84% /storedconfig, SysStatsUtilizationDiskSpace=7.97% /tmp, SysStatsUtilizationDiskSpace=16.39% /var, AverageRadiusRequestLatency=0, AverageTacacsRequestLatency=0, DeltaRadiusRequestCount=0, DeltaTacacsRequestCount=0,
So i need to filter any log containing "System-Stats" . but my configuration is not working . I guess there is a problem in my REGEX syntax . I need help seriously .
Thanks in advance.
... View more