Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtering WinHostMon with transforms/props so it doesn't index the status of a particular service.

jospina2
Explorer
‎05-13-2019 10:16 AM

Hello,

I am trying to use transforms/props to filter a service from being indexed

This is what I have:

/etc/system/local/transforms.conf :

[testing_service_filter]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

/etc/system/local/props.conf

[WinHostMon:Service]
TRANSFORMS-block_service = testing_service_filter

I have also tried:

[WinHostMon://Service]
TRANSFORMS-block_service = testing_service_filter
[source::service]
sourcetype = WinHostMon
TRANSFORMS-block_service = testing_service_filter
[source:service]
TRANSFORMS-block_service = testing_service_filter

and

[WinHostMon]
TRANSFORMS-block_service = testing_service_filter

What am I doing wrong? I have no problem filtering other sources (e.g. I have dozens of filters applied to WinEventLog, and never had an issue setting them up), but every transform I try to apply on WinHostMon doesn't seem to work. What am I missing?

Thanks

Reply

daviesg
Engager
‎12-11-2019 05:04 AM

I'm a Splunk newbie so I'm not sure this is the most efficient method but I've got it working by:

  1. Adding a stanza to props.conf in /etc/system/local

[WinHostMon]
TRANSFORMS-filter = filter_manual_service

  1. Add a stanza to the transforms.conf in /etc/system/local

[filter_manual_service]
REXEG = StartMode="Manual"
DEST_KEY = queue
FORMAT = nullQueue

It would be great to find out if there is a better way to do this.

Cheers

Graham

0 Karma
Reply

Kawtar
Path Finder
‎08-06-2019 02:33 PM

Hello jospina2,

Did you try an other : testing_service_filter2

transforms.conf
[testing_service_filter]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

[testing_service_filter2]
REGEX = MyService
DEST_KEY = queue
FORMAT = nullQueue

And then in props.conf:

TRANSFORMS-block_service2 = testing_service_filter2,

Can you try this ?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...