<div id="readability-page-1" class="page"><div>
<header>
<div>

<div id="header" data-version="1" name="헤더">
<p>
<h2>
<a href="https://kangmyounghun.blogspot.com/?m=1">
케세라세라
</a>
</h2>
</p>
<p><span>Easy to analyze if you are really curious about data</span></p>
</div>

</div>
</header>
<div>

<div data-version="1" id="crosscol" name="전체 열">
<h2>페이지</h2>
<div>
<p>
<span>▼</span></p>
</div>
</div>

</div>
<div>

<div>
<div>



</div>
<div>



</div>
<div>



</div>

<div>
<div data-version="1" id="main" name="기본">
<div>
<h2><span>2024년 2월 19일 월요일</span></h2>
<div>
<div itemscope="itemscope" itemtype="http://schema.org/BlogPosting">
<meta content="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFbNtvQmPjT_ESFVHb9wPSxTRYOht1uhl11LWwiR1-pzEy3Vrmbw2kzxQYPwoJ7YCv_Bx0O91rndE7yCkOFvmCEmw9PUVgL1h7PuCalStLdrx3Spm8pox8OUdt0ycglHY-M1iNPcHVnAHi685ZknBvy7q0F7GuGbi5srZ9nnvolqBaZFGGpX4q-VK_qiP5/s72-c/windows_firewall.png" itemprop="image_url">
<meta content="2597780270996323853" itemprop="blogId">
<meta content="1916499492242366974" itemprop="postId">
<h3 itemprop="name">
Splunk의 이벤트 단위 텍스트 필터링
</h3>

<div id="post-body-1916499492242366974" itemprop="articleBody">
<div><p>다음은 윈도우 방화벽 로그 발생 현황.</p>
  <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFbNtvQmPjT_ESFVHb9wPSxTRYOht1uhl11LWwiR1-pzEy3Vrmbw2kzxQYPwoJ7YCv_Bx0O91rndE7yCkOFvmCEmw9PUVgL1h7PuCalStLdrx3Spm8pox8OUdt0ycglHY-M1iNPcHVnAHi685ZknBvy7q0F7GuGbi5srZ9nnvolqBaZFGGpX4q-VK_qiP5/s1730/windows_firewall.png"><img data-original-height="1125" data-original-width="1730" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFbNtvQmPjT_ESFVHb9wPSxTRYOht1uhl11LWwiR1-pzEy3Vrmbw2kzxQYPwoJ7YCv_Bx0O91rndE7yCkOFvmCEmw9PUVgL1h7PuCalStLdrx3Spm8pox8OUdt0ycglHY-M1iNPcHVnAHi685ZknBvy7q0F7GuGbi5srZ9nnvolqBaZFGGpX4q-VK_qiP5/s280/windows_firewall.png" width="280"></a></p>
  <div><p><span><a name="more"></a></span>localhost에 의해 발생한 로그양이 절반을 넘는다. 이건 수집하기 싫은데?&nbsp;<a href="https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Inputsconf#Event_Log_filtering" target="_blank">윈도우 이벤트는 문자열 검색을 통해 수집 데이터를 필터링</a>할 수 있었다. 텍스트 데이터도 되겠지?</p></div></div>
<p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTTNIDOtPOUuYzE3LycAYpapKS6XvJcychkMXtOoP6Re5gfU3uzt9TN8mbsyBoukU3dO5uJuIu2qdrCG7Sk6tWDWbenQG45giXNjzYZ_mCqsyQigDNcHw9ytGF0b7hrZlIpBYRRKus5Ohg2c6AesEkx6w7gEMAKV_f6e2i21m2RKB2mkZMSgWmFdgkH36D/s1280/splunk_input_blacklist.png"><img data-original-height="471" data-original-width="1280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTTNIDOtPOUuYzE3LycAYpapKS6XvJcychkMXtOoP6Re5gfU3uzt9TN8mbsyBoukU3dO5uJuIu2qdrCG7Sk6tWDWbenQG45giXNjzYZ_mCqsyQigDNcHw9ytGF0b7hrZlIpBYRRKus5Ohg2c6AesEkx6w7gEMAKV_f6e2i21m2RKB2mkZMSgWmFdgkH36D/s280/splunk_input_blacklist.png" width="280"></a></p>
<br><div><p><a href="https://docs.splunk.com/Documentation/Splunk/9.2.0/Admin/Inputsconf#Deny_list" target="_blank"><b><span>텍스트는 파일 단위 필터링만 가능</span></b></a></p></div><p>대신 스플렁크는 널 라우팅<span>(Null Routing)</span> 개념을 이용해서 텍스트 데이터의 문자열 필터링을 지원한다.</p><div><blockquote><i><a href="https://docs.splunk.com/Documentation/Splunk/9.2.0/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues" target="_blank">You can eliminate unwanted data by routing it to the nullQueue, the Splunk equivalent of the Unix /dev/null device</a></i></blockquote></div><p>props.conf에서 작업 대상 등을 지정하고,</p>
<p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUUvDhv_EC7bRzZYXfnOLCbNYfcTFaE9Ck8QnhnWYU2V5Mz9z33eN4rEHfBmFfwicUQgbDQmKPYz9vZ81eBYn5DcFwQ21XA2znU-n855_J5ysJhkuViKOwa3zVR0Zfjxqkg-6a9PcQcgbithif8ZpcaDVAyIqbpEJNHo8tWCCYaV85Q6r4WUihk62gw0kc/s2000/props_conf.png"><img data-original-height="791" data-original-width="2000" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUUvDhv_EC7bRzZYXfnOLCbNYfcTFaE9Ck8QnhnWYU2V5Mz9z33eN4rEHfBmFfwicUQgbDQmKPYz9vZ81eBYn5DcFwQ21XA2znU-n855_J5ysJhkuViKOwa3zVR0Zfjxqkg-6a9PcQcgbithif8ZpcaDVAyIqbpEJNHo8tWCCYaV85Q6r4WUihk62gw0kc/s280/props_conf.png" width="280"></a></p>
<p>tranforms.conf에서 세부 작업 내역을 정의하는 방식.</p>
<p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCsEm0gNato7n0OXHn-4_mmVDEaN1nWPsm7eklE_pTN16jcz7dC2f7RSABNaZC1LKEVnCwTydKqqMqyMELb0RHMDGoCNkOlJCceK9VSRYeChNNmQY8MWSl5fHJ_OloSWd-fNSHKCalpCMA8OWFKufm_BD4mSzAoWkw9e9fhDwYlj6COJRbPKVtp_xUeYBk/s1280/transforms_conf.png"><img data-original-height="436" data-original-width="1280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCsEm0gNato7n0OXHn-4_mmVDEaN1nWPsm7eklE_pTN16jcz7dC2f7RSABNaZC1LKEVnCwTydKqqMqyMELb0RHMDGoCNkOlJCceK9VSRYeChNNmQY8MWSl5fHJ_OloSWd-fNSHKCalpCMA8OWFKufm_BD4mSzAoWkw9e9fhDwYlj6COJRbPKVtp_xUeYBk/s280/transforms_conf.png" width="280"></a></p>
<p>잘 된다.</p>
<p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuTiEGwffSnBZgW3wwPUwstd1bB83eoF4zushcs0rXMhNNjw8e4ZGfVwJXgbrkv8I_HdFLd-M1ykdyZSgMmkhxXi3q-kxlhMrdgMk4eTSpPmkRBkPnB7lbcpeTb67YkzptddwkGa7kKKLJwLCa4nLUDCumU46X1ehnUQp37iAOHU_IcMCr0pTlw_ca3RGr/s1730/windows_firewall2.png"><img data-original-height="1125" data-original-width="1730" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuTiEGwffSnBZgW3wwPUwstd1bB83eoF4zushcs0rXMhNNjw8e4ZGfVwJXgbrkv8I_HdFLd-M1ykdyZSgMmkhxXi3q-kxlhMrdgMk4eTSpPmkRBkPnB7lbcpeTb67YkzptddwkGa7kKKLJwLCa4nLUDCumU46X1ehnUQp37iAOHU_IcMCr0pTlw_ca3RGr/s280/windows_firewall2.png" width="280"></a></p>
<p><b>관련 글</b></p><div><ul><li><a href="https://kangmyounghun.blogspot.com/2021/05/splunk-winlogbeat.html" target="">Splunk와 Winlogbeat 차이</a></li></ul></div>

</div>
<div>
<div>
<p><span>
<span itemprop="author" itemscope="itemscope" itemtype="http://schema.org/Person">
<meta content="https://www.blogger.com/profile/04275122278203538865" itemprop="url">
<a href="https://www.blogger.com/profile/04275122278203538865" rel="author" title="author profile">
<span itemprop="name">강명훈</span>
</a>
</span>
</span>
<span>
시간:
<meta content="https://kangmyounghun.blogspot.com/2024/02/splunk.html" itemprop="url">
<a href="https://kangmyounghun.blogspot.com/2024/02/splunk.html?m=1" rel="bookmark" title="permanent link"><abbr itemprop="datePublished" title="2024-02-19T22:30:00+09:00">오후 10:30</abbr></a>
</span>
<span>
</span>
</p></div>

</div>
</div>
<div id="comments">
<h4>댓글 없음:</h4>
<div id="Blog1_comments-block-wrapper">
<dl id="comments-block">
</dl>
</div>
<div>
<h4 id="comment-post-message">
댓글 쓰기</h4>




</div>

</div>
</div>
</div>
<div id="blog-pager">
<div id="blog-pager-older-link">
<p><a href="https://kangmyounghun.blogspot.com/2024/02/winlogbeat-812.html?m=1" id="Blog1_blog-pager-older-link" title="이전 게시물">›</a>
</p></div>
<div id="blog-pager-home-link">
<p><a href="https://kangmyounghun.blogspot.com/?m=1">홈</a>
</p></div>
<div>
<p><a href="https://kangmyounghun.blogspot.com/2024/02/splunk.html?m=0">웹 버전 보기</a>
</p></div>
</div>

</div>


</div>


</div>

</div>


</div></div>

케세라세라

다음은 윈도우 방화벽 로그 발생 현황.
  
localhost에 의해 발생한 로그양이 절반을 넘는다. 이건 수집하기 싫은데? 윈도우 이벤트는 문자열 검색을 통해 수집 데이터를 필터링할 수 있었다. 텍스트 데이터도 되겠지?
텍스트는 파일 단위 필터링만 가능
대신 스플렁크는 널 라우팅(Null Routing) 개념을 이용해서 텍스트 데이터의 문자열 필터링을 지원한다.
You can eliminate unwanted data by routing it to the nullQueue, the Splunk equivalent of the Unix /dev/null device
props.conf에서 작업 대상 등을 지정하고,
tranforms.conf에서 세부 작업 내역을 정의하는 방식.
잘 된다.
관련 글
Splunk와 Winlogbeat 차이