Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Route and filter data that is received only from certain index from tcp 9997 port

z080236
Explorer
‎05-30-2021 10:58 AM

Based on this

https://docs.splunk.com/Documentation/Splunk/8.2.0/Forwarding/Routeandfilterdatad#Filter_data_by_tar...

 

I have identified the method

 

Keep specific events and discard the rest

Keeping only some events and discarding the rest requires two transforms. In this scenario, which is opposite of the previous, the setnull transform routes all events to nullQueue while the setparsing transform selects the sshd events and sends them on to indexQueue.

As with other index-time field extractions, processing of transforms happens in the order that you specify them, from left to right. The key difference is the order in which you specify the stanzas. In this example, the setnull stanza must appear first in the list. This is because if you set it last, it matches all events and sends them to the nullQueue, and as it is the last transform, it effectively throws all of the events away, even those that previously matched the setparsing stanza.

When you set the setnull transform first, it matches all events and tags them to be sent to the nullQueue. The setparsing transform then follows, and tags events that match [sshd] to go to the indexQueue. The result is that the events that contain [sshd] get passed on, while all other events get dropped.

  1. Edit props.conf and add the following:
    [source:splunk://tcp:9997]
TRANSFORMS-set= setnull,setparsing
  2. Edit transforms.conf and add the following:
    [setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = \[sshd\]
DEST_KEY = queue
FORMAT = indexQueue

    What will be the regex if I want to regex by index?

     

    Currently, I am receiving a copy from the event from a external Splunk indexer, and wish to filter the data out, before the data reach my Splunk indexer

Labels (1)
Labels
Tags (1)
0 Karma
Reply

koshyk
Super Champion
‎05-31-2021 12:12 AM

 

Option1: Try like below to push to an index

[setparsing]
REGEX=\[sshd\]
DEST_KEY=_MetaData:Index
FORMAT=my_new_index

 

Option2: Another idea to try out is to  ensure, the `sshd` type of data  have a new sourcetype

 

[setparsing]
REGEX = \[sshd\]
FORMAT = sourcetype::mycustom:linux:sshd
DEST_KEY = MetaData:Sourcetype

 

and then in your props.conf. This way you can group relevant data into sourcetype which can then be pushed to relevant index

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...