Merge pull request #456 from clong/osquery_status_filter

Filter noisy osquery status info messages from Splunk
2020-06-01 21:48:23 -07:00
parent da366bcce6 2823f140d2
commit 1980665355
2 changed files with 4 additions and 4 deletions
--- a/Vagrant/resources/splunk_server/props.conf
+++ b/Vagrant/resources/splunk_server/props.conf
@@ -21,7 +21,7 @@ TIME_FORMAT = %s
 TRUNCATE = 0

 [osquery:status]
-TRANSFORMS-null = setnull
+TRANSFORMS-null = osquery_status_filter

 [WinEventLog]
-TRANSFORMS-null = autoruns_wineventlog_null
+TRANSFORMS-null = autoruns_wineventlog_null
--- a/Vagrant/resources/splunk_server/transforms.conf
+++ b/Vagrant/resources/splunk_server/transforms.conf
@@ -14,8 +14,8 @@ DEST_KEY = MetaData:Host
 REGEX = hostIdentifier\"\:\"([^\"]+)\"
 FORMAT = host::$1

-[setnull]
-REGEX = Error\scasting
+[osquery_status_filter]
+REGEX = (POST\srequest\sto\sURI|Refreshing\sconfiguration|not\sattaching|Executing\sscheduled\squery|Error\scasting)
 DEST_KEY = queue
 FORMAT = nullQueue