Getting Data In

How to configure a heavy forwarder to filter out data before sending logs to the indexer?

mehhos
Engager

Hi,
I like to filter out "%ASA-4-106023" before sending log to splunk indexer, Below are my config:

inputs.conf
[monitor:///var/log/]

outputs.conf:
[tcpout]
defaultGroup = splunk-indexer.dax.net_9090
disabled = false

                [tcpout:splunk-indexer.dax.net_9090]
                server = <ip_to_splunk-indexer>:9090

                [tcpout-server://<ip_to_splunk-indexer>:9090]

props.conf
[source::

0 Karma

sowings
Splunk Employee
Splunk Employee

I'd just have the Test1 rule look like this:

[Test1]
REGEX = %ASA-4-106023
DEST_KEY = queue
FORMAT = nullQueue

Wildcards aren't necessary for this particular filtration, and in fact, the bare * is confusing, it's intended to "repeat 0 or more of the prior character".

mehhos
Engager

I try again:

inputs.conf

                 [monitor:///var/log/]

outputs.com

                 [tcpout]
                 defaultGroup = splunk-indexer.dax.net_9090
                 disabled = false

                 [tcpout:splunk-indexer.dax.net_9090]
                 server = 89.254.127.19:9090

                 [tcpout-server://89.254.127.19:9090]

props.conf

                [source::</var/log]
                TRANSFORMS-FilterEvent = Test1

transforms.conf

                [Test1]
                REGEX = *106023*
                DEST_KEY = queue
                FORMAT = nullQueue
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...