I am having trouble configuring my props.conf and transforms.conf to filter bro data at the heavy forwarder. Since the dns datasource is so chatty, I ONLY want to ingest events where the query field contains domains "A" and "B".
I have set my stanzas up according to the following splunk documentation: http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Routeandfilterdatad; but it is still not working. I'm not sure what I'm doing wrong.
props.conf:
[corelight_dns]
TRANSFORMS-dns= dns_null,dns_parsing
transforms.conf:
[dns_null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[dns_parsing]
REGEX=\"query\"\:\".+\.[A|B]+\"
DEST_KEY = queue
FORMAT = indexQueue
The above link states two stanzas are needed; the 1st to filter all events to the nullQueue and 2nd to whitelist events matching regex pattern to indexQueue. It also states the nullQueue stanza has to go first. Am I misunderstanding something here?
We're using corelight application for our bro data.
↧