Getting Data In

How to filter events containing the string "desktop$" from being indexed?

jttuman
New Member

Using folder redirection on a server is creating nearly a quarter million events per hour being forwarded, I want some of the event codes for other shares to be logged, but not specific ones so is there any way to filter events that contain the string "desktop$" from being indexed? Currently on the indexer I've made the props.conf and transforms.conf in %splunkhome%/etc/system/local

props.conf
[default]
TRANSFORMS-remove_events=wminull

transforms.conf
[wminull]
REGEX=(?s)desktop$
DEST_KEY=queue
FORMAT=nullQueue

but that doesn't seem to be working

0 Karma

lguinn2
Legend

Your regular expression contains a special character desktop$ means "Find the word desktop at the end of a line".

I think you may want this instead:

REGEX=(?s)desktop\$

Also remember that regular expressions are case-sensitive.

Finally, by putting the TRANSFORMS- in the [default] stanza of props.conf, you are forcing Splunk to evaluate this regular expression for every event that arrives at the indexer. This is horribly inefficient. I would suggest that you use a sourcetype stanza of some sort instead. For example

[win*]
TRANSFORMS-remove_events=wminull
0 Karma

jttuman
New Member

You know I think that might have done it, and I modified the props.conf to be
[host::]

that way the indexer should only be concerned about that one forwarder correct?

Also what if I wanted to add a couple more strings to the excluded search such as IPC$ and usr would I just edit the transforms like this?
REGEX=(?s)desktop\$,(?s)IPC\$,(?s)usr
or do I not need the (?s) between each comma? I thinks it's comma that separates it?

0 Karma

lguinn2
Legend

Yes, if the data is coming as "myServer" then [host::myServer] will work great.

In regular expressions, alternation is |, so you could do this

REGEX=(?s)desktop\$|IPC\$|usr

You only need the (?s) once, as it applies to the whole regular expression. Be aware that Splunk uses unanchored regular expressions. That means that if splunk finds one of the strings "desktop$" or "IPC$" or "usr" anywhere in the event, the event will be dropped.

If you are going to be writing a lot of regular expressions, you might want to consider picking up a tool, tutorial or reference. There is a brief tutorial/description in the Splunk documentation here, but you can find tons of resources online.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...