Filter events from UF based on source + sourcetype...

splunkreal · ‎01-13-2020

Hello,

is it possible to filter events based on sourcetype + (host OR sourcetype) with props.conf/transforms.conf on indexers?

Filtering data only based on sourcetype or source could be too wide.

Thanks.

* If this helps, please upvote or accept solution if it solved *

gcusello · ‎01-13-2020

Hi @realsplunk,
to filter events you have to identify a large information (e.g. sourcetype or host or source), then you have to find a regex to filter logs related to the above information.
You cannot use two of the above infos (e.g. sourcetype+host)
E.g.: sourcetype=WinEventLog:Security and regex = EventCode=1234

in props.conf

[wineventlog:security]
TRANSFORMS-null= setnull

in transforms.conf

[setnull]
REGEX = EventCode\=1234
DEST_KEY = queue
FORMAT = nullQueue

For more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad

Ciao.
Giuseppe

to4kawa · ‎01-13-2020

Whitelist or blacklist specific incoming data

How's this?

splunkreal · ‎01-13-2020

Thanks, do you have an example based on a string?

* If this helps, please upvote or accept solution if it solved *

to4kawa · ‎01-13-2020

No, I don't have. sorry.

Filter events from UF based on source + sourcetype or host

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!