Re: Filter syslog input before indexing

bumjubeo · ‎11-26-2010

I am looking to filter my syslog traffic before it gets indexed by splunk as we are getting a fair bit of fluff from our esxi hosts.

This is what I have setup so far, and it doesnt appear to be working....it may be an error on my regex, I'm hoping not haha.

-props.conf-

[source::SyslogVMware] TRANSFORMS-null = setnull

-transforms.conf-

[setnull] REGEX = [hostd] DEST_KEY = queue FORMAT = nullQueue

I am hoping to remove all alerts recieved from hostd before being indexed, but this doesnt appear to filter anything and i'm hoping I can get a quick pointer in the right direction.

Thanks!

bumjubeo · ‎11-26-2010

Type your custom source correctly and this issue wont be a problem. 😉

bumjubeo · ‎11-26-2010

Ends up the initial regex Hostd: wasn't actually working because Vpxa was being so chatty I didnt notice any Hostd logs, upon further filtering the search I noticed Hostd was sending logs. Looked at my custom source name and I was using the Sourcetype name and not the Source name.

bumjubeo · ‎11-26-2010

Figured out a bit....my regex didnt need [hostd].

I made my REGEX = Hostd:

and this worked, I am not working on the or command which should be a pipe...arent the conf files using perl regexes?

Filter syslog input before indexing

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases