Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all articles
Browse latest Browse all 47296

And condition between two different SOURCE_KEY in a stanza inside transforms.conf or in props.conf

$
0
0
Hi, I want to filter out Checkpoint events based on two different conditions: 1. It comes from a specific IP XX.XX.XX.XX, I have this information in host metadata field. 2. The action field after parsing the _raw can't be equal to allowed. I can filter out these two conditions separately with stanzas like this: [parse-action] REGEX = action=accept DEST_KEY = queue FORMAT = nullQueue [parse-hosts] SOURCE_KEY = MetaData:Host REGEX = (xx.xx.xx.xx|yy.yy.yy.yy) DEST_KEY = queue FORMAT = nullQueue But I need that both of them are true at the same time, so I need to do a and between them. How could I acomplish this? Ps. I don't have the host info anywhere in the _raw data, so I can't use the same regex Edit: Another approach will be to add the and condition in props.conf. This is the configuration right now: TRANSFORMS-checkpoint_events = parse-action, parse-hosts Instead of telling it to apply this after this, I want to apply this AND this

Viewing all articles
Browse latest Browse all 47296

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>