I need to drop all events that contain the string company.com for example below.
I would like to drop these events below.
This should work right?
Thank you
1674 PACKET UDP Snd 127.0.0.1 2d69 R Q [8081 DR NOERROR] A .redfish.company.com.
1674 PACKET UDP Snd 127.0.0.1 2d69 R Q [8081 DR NOERROR] A .https-proxy.company.com.
TRANSFORMS-drop = dropline
EXTRACT-dns_name = (?i)] \w+\s+(?P
SEDCMD-win_dns = s/(\d+)/./g
SEDCMD-domainname = s/(\(\d\))/./g
[dropline]
REGEX = company
DEST_KEY = queue
FORMAT = nullQueue
Hey splunkranger,
Try something like this in your props and transforms config files.
props.conf:
TRANSFORMS-null-dns1= company_com
transforms.conf:
[company_com]
REGEX = (?i:company\.com\.$)
DEST_KEY = queue
FORMAT = nullQueue
I think so... has nothing to do with the Splunk Support for Active Directory though.