# $SPLUNK_HOME/etc/system/local/transforms.conf
[setnull_dns_query]
# DNSサーバ宛(または発)のUDP/53通信を除外
REGEX = ("dest_ip":"192\.168\.10\.10"|"dest_ip":"192\.168\.10\.20").*("dest_port":53)|("src_ip":"192\.168\.10\.10"|"src_ip":"192\.168\.10\.20").*("src_port":53)
DEST_KEY = queue
FORMAT = nullQueue
# $SPLUNK_HOME/etc/system/local/props.conf
[stream:netflow]
TRANSFORMS-null_dns = setnull_dns_query
Register as a new user and use Qiita more conveniently
- You get articles that match your needs
- You can efficiently read back useful information
- You can use dark theme