Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtering WinHostMon with transforms/props so it doesn't index the status of a particular service.

jospina2
Explorer
‎05-13-2019 10:16 AM

Hello,

I am trying to use transforms/props to filter a service from being indexed

This is what I have:

/etc/system/local/transforms.conf :

[testing_service_filter]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

/etc/system/local/props.conf

[WinHostMon:Service]
TRANSFORMS-block_service = testing_service_filter

I have also tried:

[WinHostMon://Service]
TRANSFORMS-block_service = testing_service_filter
[source::service]
sourcetype = WinHostMon
TRANSFORMS-block_service = testing_service_filter
[source:service]
TRANSFORMS-block_service = testing_service_filter

and

[WinHostMon]
TRANSFORMS-block_service = testing_service_filter

What am I doing wrong? I have no problem filtering other sources (e.g. I have dozens of filters applied to WinEventLog, and never had an issue setting them up), but every transform I try to apply on WinHostMon doesn't seem to work. What am I missing?

Thanks

Reply

daviesg
Engager
‎12-11-2019 05:04 AM

I'm a Splunk newbie so I'm not sure this is the most efficient method but I've got it working by:

  1. Adding a stanza to props.conf in /etc/system/local

[WinHostMon]
TRANSFORMS-filter = filter_manual_service

  1. Add a stanza to the transforms.conf in /etc/system/local

[filter_manual_service]
REXEG = StartMode="Manual"
DEST_KEY = queue
FORMAT = nullQueue

It would be great to find out if there is a better way to do this.

Cheers

Graham

0 Karma
Reply

Kawtar
Path Finder
‎08-06-2019 02:33 PM

Hello jospina2,

Did you try an other : testing_service_filter2

transforms.conf
[testing_service_filter]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

[testing_service_filter2]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

And then in props.conf:

TRANSFORMS-block_service2 = testing_service_filter2,

Can you try this ?

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...