- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- filtering off events based based on ip address
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
filtering off events based based on ip address
Hi,
I am trying to filter off ip address on our splunk server based on the source - C:\http server\logs\web-access.log
A sample of the event looks like this:
192.168.1.15 - - [17/Feb/2011:18:13:34 +0800] "GET /" 200 8146
And my configuration:
props.conf
[source::C:\\http server\\logs\\web-access.log]
TRANSFORMS-null = sendnull
transforms.conf
[sendnull]
REGEX = 192\.168\.1\.15
DEST_KEY = queue
FORMAT = nullQueue
I still see events from 192.168.1.15 coming in.Any idea?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the instance monitoring the log is not a light-weight forwarder, then all transforms should be done there. In such a case your config will have no effect on the indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
any idea what's wrong with my config?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
also to mention,my splunk server is receiving events from the web server,where splunk is installed as a forwarder and configured to read apache log files locally before forwarding them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've also tried to specify this in the stanza name in props.conf:
[source::C:\http server\logs\web-access.log]..but not working..Could it be due to the space between http and server?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The file path should be "C:\http server\logs\web-access.log". There's a space between "http" and "server". I've amended my post.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stanza name in props.conf is incorrect: you've got to prepend it with "source::".
See props.conf spec for more info
[<spec>]
* This stanza enables properties for a given <spec>.
* A props.conf file can contain multiple stanzas for any number of different <spec>.
* Follow this stanza name with any number of the following attribute/value pairs.
* If you do not set an attribute for a given <spec>, the default is used.
<spec> can be:
1. <sourcetype>, the source type of an event.
2. host::<host>, where <host> is the host for an event.
3. source::<source>, where <source> is the source for an event.
[...]
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
