Hello,

My environment uses Nessus for vulnerability scanning, and we are importing the results of those scans via the Splunk Add-on for Tenable, here: https://splunkbase.splunk.com/app/1710/#/overview The events are correctly being indexed into Splunk.

However, approximately 90% of the events generated from the Nessus scans are "Informative", which we do not wish to index into Splunk.

I've added a TRANSFORMS in the props.conf and a stanza in transforms.conf to find the appropriate "Informative" events with a regex, and discard them using the queue nullQueue, but, I have been unsuccessful in filtering out "Informative" events from new scans results as they are being indexed.

The Splunk Add-on for Tenable is installed on a heavy forwarder. I have attempted both having the props and transforms on the heavy forwarder, and having them on the indexers. Neither has worked as I intended. See added props and transforms below:

props.conf

[tenable:sc:vuln]
#To remove "severity = informative" events from being logged in to Splunk, to reduce events
TRANSFORMS-null= tenable_remove_severity_informative

transforms.conf

#To remove "severity = informative" events from being logged in to Splunk, to reduce events
[tenable_remove_severity_informative]
REGEX ="severity":\s\{(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0"),\s(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0"),\s(?:"name"|"description"|"id"):\s(?:"Info"|"Informative"|"0")\}
DEST_KEY = queue
FORMAT = nullQueue

I've tried other, simplier, regex terms (thinking maybe it was just a regex problem), but, I'm nearly certain I've eliminated that as a possibly. When I copy/paste the above regex to test again the logs, it correctly finds the text I'm looking for.

Any advise is greatly appreciated! Thank you!