Hello!
I am trying to exclude a specific computer_name from showing up in our carbonblack index in Splunk using a Heavy Forwarder where the data is monitored on.
Below is an example of my props.conf & transform.conf
props.conf
[source::/var/data/events.json] TRANSFORMS-null = nullFilter
transform.conf
[nullFilter] REGEX = (?ms)(.*"computer_name":\s*"test-machine".*) DEST_KEY = queue FORMAT = nullQueue
Raw data in Splunk:
{"path":"/usr/sbin/abrt-server","md5":"9F469AA349AA64009C3DB7BE","sha256":"","command_line":"abrt-server -s","parent_path":"/usr/sbin/abrtd","parent_pid":546,"parent_guid":-390649270232,"filtering_known_dlls":false,"parent_md5":"97E3CDA03CB1A8CDF9","expect_followon_w_md5":false,"link_parent":"https://server-name:443/#analyze/00000000-0000-0000-0000-74e9a5a/1","username":"root","parent_create_time":1682147484,"pid":27474,"process_guid":"00000000-0000-0000-0000-0000000e","link_process":"https://server-name:443/#analyze/00000000-0000-0000-0000-99132070551e/0","link_sensor":"https://server-name:443/#/host/518","process_path":"/usr/sbin/abrt-server","cb_server":"server-name","type":"ingress.event.procstart","sensor_id":123,"computer_name":"test-machine","event_type":"proc","timestamp":1686123541}
List format data in Splunk (there are two ways the data is displayed in Splunk but the json file produced the above raw data)
{ [-]
cb_server: server-name
command_line: abrt-server -s
computer_name: test-machine
event_type: proc
expect_followon_w_md5: false
filtering_known_dlls: false
link_parent: https://server-name:443/#analyze/00000000-0000-0000-0000-74e9a5a/1
link_process: https://server-name:443/#analyze/00000000-0000-0000-0000-99132070551e/0
link_sensor: https://sever-name:443/#/host/123
md5: 9F469AA349AA64009C3DB7BE
parent_create_time: 1682147484
parent_guid: -390649270232
parent_md5: 97E3CDA03CB1A8CDF9
parent_path: /usr/sbin/abrtd
parent_pid: 546
path: /usr/sbin/abrt-server
pid: 27474
process_guid: 00000000-0000-0000-0000-99132070551e
process_path: /usr/sbin/abrt-server
sensor_id: 123
sha256:
timestamp: 1686123541
type: ingress.event.procstart
username: root
}
I have tried a few different regex entries but they keep failing. I was using a UF initially then read the Splunk docs and upgraded to a Heavy Forwarder but still keep getting the same problem. Can you please provide any assistance, would be very much appreciated.
My initial aim is to get this working for a single machine then hopefully look to exclude multiple machines sharing a similar naming convention for example "PC123..." grateful if you can provide best way to tackle both scenarios.
Thanks!
... View more