Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to remove information from forwarded data?

ddarmand
Communicator
‎10-19-2015 02:20 AM

Hello everyone,

This is my topology:

Splunk Forwarder (with local copy of data) -----> Main Splunk

The forwarder is adding sourcetype from regex etc... and it appears in the main Splunk, but I prefer to have raw data. How is it possible to have this without deleting rules on the Splunk forwarder?

Thanks,

Damien

0 Karma
Reply

woodcock
Esteemed Legend
‎10-19-2015 06:32 AM

What makes you think that your sourcetype is being added to your raw event? I am unaware of any automatic (i.e. accidental) way that this could happen and to deliberately make it happen, although not difficult, is certainly something that takes some work. I suspect that your raw events are actually OK but you can see for yourself like this:

... | table sourcetype _raw

You will probably see that the field _raw always has an identical/unmodified copy of your raw events.

Reply

woodcock
Esteemed Legend
‎10-21-2015 09:42 AM

If I understand you correctly, this is your situation:

We have two types of users: A and B both generating the same events that are coming through syslog.  For type-B users, we'd like the logs without modifications (added fields, e.g. sourcetype) by the heavy forwarder (just as they come by syslog).  For type-A users, we'd like to add/keep these modifications.

If this is correct, then you need to build a REGEX that can match type-A users but not type-B users. Once this is done, you need to modify the stanza in transforms.conf that is adding the fields so that it has a REGEX= line. That should do it.

0 Karma
Reply

ddarmand
Communicator
‎10-20-2015 12:54 AM

It's added because i have some configurations to do this in props.conf transforms.conf ect... but i dont wan't to have these infos on the forwarded data

0 Karma
Reply

woodcock
Esteemed Legend
‎10-20-2015 08:07 AM

OK, I am TOTALLY confused. You are deliberately adding stuff to your raw events but you would like to not do so? Back all the way up and FULLY explain your existing configurations (and maybe why they are that way) and the explain your desired end state. As it is, right now, I am utterly confounded.

0 Karma
Reply

ddarmand
Communicator
‎10-21-2015 02:16 AM

Ok, sorry i will try to explain this :

http://zupimages.net/viewer.php?id=15/43/mnyy.png

http://zupimages.net/viewer.php?id=15/43/mnyy.png

As you can see, we have two types of users A and B.

I want to see on the main splunk for user B the logs without modifications by the heavy forwarder (as they come by syslog)

These modifications is adding sourcetype for example with props.conf and transforms.conf ect...

But user A need these modifications.

0 Karma
Reply

asimagu
Builder
‎10-19-2015 02:45 AM

so you are using a HW Forwarder?? why don't you try using a UF?

0 Karma
Reply

ddarmand
Communicator
‎10-19-2015 03:24 AM

because i need to keep local copy of events on the forwarder !

0 Karma
Reply

asimagu
Builder
‎10-19-2015 08:30 AM

cool, the more info you provide , the better we will be able to assist 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...