Products/Services
product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Specifications/Technical Information
Evaluation machine application/FAQ
Application for evaluation machine
- FAQ
How to not capture certain events
- release date
- 2018-06-18
- last updated
- 2023-12-05
- version
- Splunk Enterprise 9.1.0
- Overview
- When importing log data, you can filter specific log data by using the transforms.conf settings (REGEX, FORMAT, DEST_KEY). Please use this to exclude and import events that include header lines or specific character strings.
- Reference information
- content
-
Procedure to filter specific events by regular expression and prevent them from being imported
【procedure】
- Specify the events to be excluded in transforms.conf using regular expressions.
Create /opt/splunk/etc/system/local/transforms.conf if it does not exist.
[null1]※ REGEX = <正規表現A>※ DEST_KEY = queue FORMAT = nullQueue [null2]※ REGEX = <正規表現B>※ DEST_KEY = queue FORMAT = nullQueue
Setting example: When excluding events that include the character string msg=aaa or msg=bbb and importing
[null1] REGEX =msg\=aaa DEST_KEY = queue FORMAT = nullQueue [null2] REGEX =msg\=bbb DEST_KEY = queue FORMAT = nullQueue;
supplement
- Be sure to save in UTF-8.
- In transforms.conf, "DEST_KEY" and "FORMAT" parts do not need to be changed.
- Regular expression A and regular expression B must contain regular expressions that match the strings you want to exclude.
* Please set the marked part (stanza name, regular expression) according to your company's environment.
- In props.conf, add the ingestion configuration below the existing line of the log source type.
[<source type name>]TRANSFORMS-null=null1,null2
Setting example: Setting for source type test
[test] TRANSFORMS-null=null1,null2
supplement
- The above is the setting for the source type, but it can also be applied to the host and source in addition to the source type.
- Setting value description method TRANSFORMS-<unique class name>=<stanza name used in transforms.conf>
- Here, the class name is null, and null1 and null2 are used in the transforms.conf settings, so they are set on the right side of the equals, separated by commas.
- Restart Splunk.
【Notes】
- Configuration is done on the index server (or heavy forwarder). (Cannot be set on the universal forwarder)
- Only events that are captured after the setting is made are considered. Events that have already been captured will not be deleted.
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30