All Apps and Add-ons

Routing events to null queue active directory dns debug

splunkranger
Path Finder

I need to drop all events that contain the string company.com for example below.

I would like to drop these events below.

This should work right?

Thank you

1674 PACKET UDP Snd 127.0.0.1 2d69 R Q [8081 DR NOERROR] A .redfish.company.com.
1674 PACKET UDP Snd 127.0.0.1 2d69 R Q [8081 DR NOERROR] A .https-proxy.company.com.

Props.conf

TRANSFORMS-drop = dropline
EXTRACT-dns_name = (?i)] \w+\s+(?P(.+))
SEDCMD-win_dns = s/(\d+)/./g
SEDCMD-domainname = s/(\(\d\))/./g

Transforms.conf

[dropline]
REGEX = company
DEST_KEY = queue
FORMAT = nullQueue

0 Karma

cygnetix
Path Finder

Hey splunkranger,

Try something like this in your props and transforms config files.

props.conf:

TRANSFORMS-null-dns1= company_com

transforms.conf:

[company_com]
REGEX = (?i:company\.com\.$)
DEST_KEY = queue
FORMAT = nullQueue

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

I think so... has nothing to do with the Splunk Support for Active Directory though.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...