Hello,
Our customer has decided to end use of Splunk in lieu of Sumo Logic, but we are looking to keep up internal use of Splunk due to 110GB worth of Perpetual licensing we have leftover. We are currently filtering out non-essentials, and for us one of the big players is linux syslog. I am attempting to use transforms and props to filter out everything that aren't authentication failures. The regular expression is looking for the string of text "authentication failure". I tested my regex in regex101 and everything checks out, but when I turn on the syslog sourcetype, the proverbial flood gates are still opening up.
Can someone take a look at these and let me know what looks wrong here? The transforms are meant to bring in only events with "authentication failure" and toss out everything else.
Props.conf
[syslog]
TRANSFORMS-set=set_parsing,set_null
Transforms.conf
[set_parse]
REGEX = \bauthentication\b\s\bfailure\b
DEST_KEY = queue
FORMAT = indexQueue
[set_null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
... View more