×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
iamDT03
Engager
Member since: ‎11-11-2020
‎11-11-2020
Community Statistics
Posts 2
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎11-11-2020
Activity Feed
Topics I've Started
View All

Re: Null Filtering Not Working

by in Getting Data In
‎11-11-2020 08:45 PM
‎11-11-2020 08:45 PM
This issue has been resolved. The [setnull] transform stanza name was conflicting with another transform stanza from a separate add-on. Making the following changes to props.conf and transforms.conf remedied the problem. #props.conf [source::udp:5514] TRANSFORMS-set= dropEvents,setparsing #transforms.conf [dropEvents] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = \%FTD-\d(430002|430003) DEST_KEY = queue FORMAT = indexQueue ... View more

Null Filtering Not Working

by in Getting Data In
‎11-11-2020 11:38 AM
‎11-11-2020 11:38 AM
Greetings all. I am having some trouble getting syslog data to filter with regards to nullQueue. Below are what my config files look like and some additional troubleshooting I've taken so far. inputs.conf [udp://5514] connection_host = ip index = org_index sourcetype = cisco:firepower:syslog   props.conf [source::udp:5514] TRANSFORMS-set= setnull,setparsing   transforms.conf [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = \%FTD-\d-(430002|430003) DEST_KEY = queue FORMAT = indexQueue   My environment flows Firepower syslog > Heavy Fwd (on prem) > Splunk Cloud and the above configs are on the Heavy Fwd. In the syslog stream, there are "Correlation Event" logs I am trying to drop. Above I am trying to ingest only message ID's of 430002 and 430003 and drop everything else, however, Correlation Events are still coming in. I've also tried the alternative where I'm targeting Correlation Event in the regex in an effort to drop them, also unsuccessful. Below are some additional troubleshooting steps I've taken. reformatting the source as [source::udp://5514] in props.conf removed spaces before and after the equals signs for each attribute removed the line "REGEX = ." in transforms.conf tried the sourcetype in props.conf, so [cisco:firepower:syslog] tried different regex matches, using regex101 restarting Heavy Fwd after each change Here is the Splunk Doc I've been working with primarily: https://docs.splunk.com/Documentation/Splunk/8.1.0/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest Any help is greatly appreciated! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-11-2020 03:23 PM