Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filtering WinHostMon with transforms/props so it doesn't index the status of a particular service.

jospina2
Explorer
‎05-13-2019 10:16 AM

Hello,

I am trying to use transforms/props to filter a service from being indexed

This is what I have:

/etc/system/local/transforms.conf :

[testing_service_filter]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

/etc/system/local/props.conf

[WinHostMon:Service]
TRANSFORMS-block_service = testing_service_filter

I have also tried:

[WinHostMon://Service]
TRANSFORMS-block_service = testing_service_filter
[source::service]
sourcetype = WinHostMon
TRANSFORMS-block_service = testing_service_filter
[source:service]
TRANSFORMS-block_service = testing_service_filter

and

[WinHostMon]
TRANSFORMS-block_service = testing_service_filter

What am I doing wrong? I have no problem filtering other sources (e.g. I have dozens of filters applied to WinEventLog, and never had an issue setting them up), but every transform I try to apply on WinHostMon doesn't seem to work. What am I missing?

Thanks

Reply

daviesg
Engager
‎12-11-2019 05:04 AM

I'm a Splunk newbie so I'm not sure this is the most efficient method but I've got it working by:

  1. Adding a stanza to props.conf in /etc/system/local

[WinHostMon]
TRANSFORMS-filter = filter_manual_service

  1. Add a stanza to the transforms.conf in /etc/system/local

[filter_manual_service]
REXEG = StartMode="Manual"
DEST_KEY = queue
FORMAT = nullQueue

It would be great to find out if there is a better way to do this.

Cheers

Graham

0 Karma
Reply

Kawtar
Path Finder
‎08-06-2019 02:33 PM

Hello jospina2,

Did you try an other : testing_service_filter2

transforms.conf
[testing_service_filter]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

[testing_service_filter2]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

And then in props.conf:

TRANSFORMS-block_service2 = testing_service_filter2,

Can you try this ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top