Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtering WinHostMon with transforms/props so it doesn't index the status of a particular service.

jospina2
Explorer
‎05-13-2019 10:16 AM

Hello,

I am trying to use transforms/props to filter a service from being indexed

This is what I have:

/etc/system/local/transforms.conf :

[testing_service_filter]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

/etc/system/local/props.conf

[WinHostMon:Service]
TRANSFORMS-block_service = testing_service_filter

I have also tried:

[WinHostMon://Service]
TRANSFORMS-block_service = testing_service_filter
[source::service]
sourcetype = WinHostMon
TRANSFORMS-block_service = testing_service_filter
[source:service]
TRANSFORMS-block_service = testing_service_filter

and

[WinHostMon]
TRANSFORMS-block_service = testing_service_filter

What am I doing wrong? I have no problem filtering other sources (e.g. I have dozens of filters applied to WinEventLog, and never had an issue setting them up), but every transform I try to apply on WinHostMon doesn't seem to work. What am I missing?

Thanks

Reply

daviesg
Engager
‎12-11-2019 05:04 AM

I'm a Splunk newbie so I'm not sure this is the most efficient method but I've got it working by:

  1. Adding a stanza to props.conf in /etc/system/local

[WinHostMon]
TRANSFORMS-filter = filter_manual_service

  1. Add a stanza to the transforms.conf in /etc/system/local

[filter_manual_service]
REXEG = StartMode="Manual"
DEST_KEY = queue
FORMAT = nullQueue

It would be great to find out if there is a better way to do this.

Cheers

Graham

0 Karma
Reply

Kawtar
Path Finder
‎08-06-2019 02:33 PM

Hello jospina2,

Did you try an other : testing_service_filter2

transforms.conf
[testing_service_filter]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

[testing_service_filter2]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

And then in props.conf:

TRANSFORMS-block_service2 = testing_service_filter2,

Can you try this ?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...