Hi everyone,
For a few days now I've been tweaking my props.conf, transforms.conf, and rebooting Splunk trying to exclude certain events from being indexed (nullQueue). I have included the stanzas in my props.conf, transforms.conf, and an example of an event that I am trying to exclude below. I'm hoping that someone can save me another week of tweaking and rebooting Splunk trying to get this nullQueue to work :-)
My app-local-props.conf file contains:
[source::*opsec*]
TRANSFORMS-null:setnull
Note: I'm not sure if I identifed the source correctly, you can see the full long path in the example event I included below.
My app-local-transforms.conf file contains:
[setnull]
REGEX=(?m)^service=(80)
DEST_KEY=queue
FORMAT=nullQueue
What I'm trying to exclude:
Here's an example of one of the multi-line events that contain "service=80" that I'm trying to send to the nullQueue. I modified the original event to shorten the length and also changed the IP addresses. You can see "service=80" near the middle of the second line:
loc=12345|time=19Aug2013 14:44:28|action=drop|orig=10.10.10.10|i/f_dir=inbound|i/f_name=eth1-01|has_accounting=0|src=10.10.10.10|s_port=49528|dst=10.10.10.10|service=80|proto=tcp|message_info=Address spoofinghost=SPLUNK-01 | sourcetype=opsec | source=/data/splunk/etc/apps/Splunk_TA_opseclea_linux22/bin/lea-loggrabber.sh --configentity SplunkLEA
I've tried many different variations (at least 20) of the REGEX but nothing has worked so far. Any advice or guidance is very appreciated!!
Thanks