-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Help Required: Create a block filter to push event to null Queue #2548
Comments
Hi @evslacker I checked your case and it seems that you need some help with a custom parser that stops the ingestion of a specific type of log. Here is what you can refer to: If you are still facing an issue with creating a parser please create a support ticket so that we can collect all the necessary information like sample logs to further assist you. |
Hey @cwadhwani-splunk , thanks for the link, I already went through it and i tried the below parsar as well, but i am getting error with that. i have also given the sample raw logs what i could see in fallback and main index
|
Hi @evslacker We will need a sample raw log (the exact log that is coming to SC4S) to replicate the scenario in our end. To get the raw logs you can either provide us the PCAP file over a support case or you can follow the below link to obtain the raw logs and attach it to a support case. |
@evslacker
Here is the updated parser which I tested with a self generated log based on the provided information.
Note:
|
@cwadhwani-splunk let me try this once, also the source is not a continuously log generating source, hence allow me few days of time to provide you pcap if needed, otherwise let me try this once. |
is that ok if i use OR instead of AND so that if either IP or keyword matches in both cases my logs will go to null queue? |
Hi @evslacker Thanks. |
it worked partially, but yea the CASE was what i was lacking in my filter, thanks for the help |
Hi Team, i have scan logs which are coming to sc4s and neither the application team nor us wants them in Splunk as they are useless, we are not able to stop them from source, hence we thought of creating a block parser instead.
the logs are coming from 3 different ip's.
Ip1, Ip2, Ip3
the logs also have a common keyword which comes in every log:
keyword= " Some Text @zabbix_server_detect.nasl Some Text*"
Can you please help creating the parser for above conditions.
i tried to build one below but didn't worked:
Also can you please mention the path where i have to save this parser, is it under app_parsers or rewriters?
below are sample logs
Sourcetype=json
{"request":"active checks", "host":"$@zabbix_server_detect.nasl"}
Sourcetype=sc4s:fallback
PRI=13
MESSAGE=ZBX_GET_ACTIVE_CHECKS\n$@zabbix_server_detect.nasl-1722404282
The text was updated successfully, but these errors were encountered: