Data filtering | Blacklisting help needed

SabariRajanT · ‎07-27-2020

In order to filter below data logs not to ingest into splunk.

%DOMAIN-2-IME:
%DOMAIN-2-IME_DETAILS:
%DOMAIN-5-TCA:

Following techniques followed but it didn't worked out

a)Using Regex expression in transform.conf as \%.*\: to filter all the above 3 domain in transform.conf file(heavy forwarder) even-though logs are ingesting into splunk. Like below

[elimatedomain_text]
REGEX=\%.*\:
DEST_KEY=queue
FORMAT=nullQueue

b)Using Hardcode values as below in transform.conf file doesn't worked out

REGEX = %DOMAIN-2-IME:

REGEX = %DOMAIN-2-IME_DETAILS:

REGEX = %DOMAIN-5-TCA:

Any other solution to black list in heavy forwarder.?

harsmarvania57 · ‎07-27-2020

Hi,

Can you please provide props.conf configuration as well ?

SabariRajanT · ‎07-27-2020

Hi,

Thanks for your response. Awaiting your help.

Set1 try:

Props.conf:

TRANSFORMS-Set = discard_events, discard_events1, discard_events_2

================================================================================

Set2 try:

Props.conf:

[cisco:ios]
TRANSFORMS-t1=[elimatedomain_text]

Transform.conf:

[elimatedomain_text]
REGEX=\%.*\:
DEST_KEY=queue
FORMAT=nullQueue

harsmarvania57 · ‎07-27-2020

In props.conf, there should be not square bracket in TRANSFORMS

It should be like

[cisco:ios]
TRANSFORMS-t1= elimatedomain_text

Data filtering | Blacklisting help needed

heavy forwarder

props.conf

transforms.conf

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases