Hello all ye gurus
We have Mcafee EPO data coming into splunk as follows
- DBX app installed which connects to the EPO data and pulls the information.
- the $Splunk_home$\etc\apps\dbx\local\inputs.conf has the source (dbmon_tail.......)
- the index, sourcetype=mcafee:epo are set here
This all works well but i want to filter out a number of events that are extracted from the Mcafee EPO database. Specifically, events where the signature = "Anti-virus Standard Protection:Prevent user rights policies from being altered"
so my strategy was to use props and transforms file to filter it out
so in the props file, I added
[mcafee:epo]
TRANSFORMS-filter_unwanted_events=filter_unwanted_events
In the transforms file, I added
[filter_unwanted_events]
REGEX = (?m)\nsignature.+Protection
DEST_KEY = queue
FORMAT = nullQueue
This is on a heavy forwarder, however, i am not able to get this to work.
where i am going wrong?
-is the transforms not being applied on the right source/sourcetype?
-is the regex not correct?
-am i using the wrong props and transforms files?
Any help would be greatly appreciated.
Thanks!
Hi jeffryjacob,
here are my answers:
is the transforms not being applied on the right source/sourcetype?
run $SPLUNK_HOME/bin/splunk cmd btool props mcafee:epo list
to verify this
is the regex not correct?
Yes, it is not correct - try this signature.+Protection
am i using the wrong props and transforms files?
No, you're not
Hope this helps ...
cheers, MuS