So I need to temporarily free up some indexing license. Rather than tweaking my deployment, I was hoping I could just route a few sourcetypes to /dev/null for a little while. Is there a way I can tell splunk to not index a sourcetype of a list of sourcetypes?
Thanks Steve
Yes you can by routing the undesired events to the nullQueue. Check this part of the documentation: http://www.splunk.com/base/Documentation/latest/Admin/Routeandfilterdata#Discard_specific_events_and...
Let's assume you don't want the sourcetype my_sourcetype
. On your indexer, set up your props.conf:
[my_sourcetype]
TRANSFORMS-null= setnull
and then in transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
You can of course tweak the REGEX to not be as greedy and just throw out specific events. But the example as is will discard everything coming in as the my_sourcetype
sourcetype.
Yes you can by routing the undesired events to the nullQueue. Check this part of the documentation: http://www.splunk.com/base/Documentation/latest/Admin/Routeandfilterdata#Discard_specific_events_and...
Let's assume you don't want the sourcetype my_sourcetype
. On your indexer, set up your props.conf:
[my_sourcetype]
TRANSFORMS-null= setnull
and then in transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
You can of course tweak the REGEX to not be as greedy and just throw out specific events. But the example as is will discard everything coming in as the my_sourcetype
sourcetype.
Worked like a charm! Thanks.