how to prevent specific syslog events from being c...

bjork6 · ‎09-12-2012

Hi. I am new to Splunk and I am trying to prevent specific logs to be collected. I have 3 Etehrnet switches and they generate a lot of garbage and I don't want my logs to be filled by unnecessary entries. I already know that I need to create "stuff" inside props.conf and transforms.conf.

In fact, what I want to do is to send to the nullQueue everything that comes from port udp 514 and that contains the word MSGBUILDER inside the _raw field.

Here is what I did:

Props.conf

[source::UDP:514]
TRANSFORMS-set= setnull

Transforms.conf

[setnull]
REGEX= MSGBUILDER
DEST_KEY = queue
FORMAT = nullQueue

There must be something I do not do properly because it doesn't work. Splunk continues to collect these logs instead of excluding them.

Anyone can help?

Thanks.

bjork6 · ‎09-12-2012

Hi jonuwz,

thanks for your answer but it's my mistake. I typed UDP (UPPER CASE) here but I definitely wrote udp (lower case) in props.conf.

Another idea someone?

Thanks.

jonuwz · ‎09-12-2012

Pretty sure UDP should be udp in props.conf

[source::udp:514]
TRANSFORMS-set= setnull

Update....

Have you restarted splunk since making the changes?

jonuwz · ‎09-13-2012

You're welcome.

bjork6 · ‎09-13-2012

Guess what? Either I'm lying or I must be blind but you were absolutely right. I double checked it this morning and udp was typed in UPPER CASE. Now it seems to work like a charm. Thank you very much.

how to prevent specific syslog events from being collected?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases