Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Heavy Forwarder, Syslog filter

benedetto
Engager
‎10-03-2012 09:03 AM

Hi all,

How can I create a filter that sends just Syslog login and logout events? I have a Syslog on different machines that send syslog events to each their own forwarders and then come to indexer. How can I create a filter that has as sourcetype syslog?

thanks in advance,
Best regards.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-03-2012 09:39 AM

here is your answer : Keep specific events and discard the rest

http://docs.splunk.com/Documentation/Splunk/4.3.4/Deploy/Routeandfilterdatad#Keep_specific_events_an...

Here is an example, please time the regex to your events.
In props.conf, set the TRANSFORMS rule for any syslog soucretype

[syslog]
TRANSFORMS-filtersyslog= setnull,keeponlyloginlogout

Create a corresponding stanza in transforms.conf.
`
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[keeponlyloginlogout]
REGEX = (login|logout)
DEST_KEY = queue
FORMAT = indexQueue
`

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...