Filtering Events into nullqueue

JPrictoe · ‎02-23-2018

Real novice here. I am ingesting a sourcetype into Splunk, and want to filter out any events with the word "FAILED" right after the first IP address.`

Below is my props in etc\apps\search\local

[sslbcoat1]
DATETIME_CONFIG = 
NO_BINARY_CHECK = true
category = Custom
pulldown_type = true
TRANSFORMS-null = setnull

`
and then here's my transforms where I THOUGHT I was carving out failures and sending them to null:

[geo_us_states]
external_type = geo
filename = geo_us_states.kmz

[geo_countries]
external_type = geo
filename = geo_countries.kmz

[geo_attr_us_states]
filename = geo_attr_us_states.csv

[geo_attr_countries]
filename = geo_attr_countries.csv

[setnull]
REGEX = ^.+(F...).+$
DEST_KEY = queue
FORMAT = nullQueue

The regex might be wrong, but somehow I don't think that's the problem. Thanks and any insight would be appreciated.

Sample event:

014-04-17 13:50:22 2 10.3.31.70 FAILED - - - - 199.83.168.160 - - - none - - - - none - - 163.252.254.201 SG-SSL-Proxy-Service - 58642

martin_mueller · ‎02-24-2018

Your regex looks really off - copy&paste error? If not, all it does is look for the capital F followed by some characters.
This should be better: \s\d+\.\d+\.\d+\.\d+\s+FAILED
Note, this doesn't actually match only IPv4 addresses, but it should be correct enough. Additionally, it doesn't check if it's the first IP that's being followed by FAILED - address that if you expect events that contain FAILED after a later IP that you want to keep, for example by only looking N words deep into the event from the beginning, as these look like syslog-ish headers.

There is an app for Bluecoat ProxySG on Splunkbase, that might help you a lot with field extraction and stuff.

Filtering Events into nullqueue

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes