Solved: Can I blacklist sourcetype or Index?

nikhilagrawal · ‎01-14-2016

We have client logs getting indexed using Rest API and our license is overloaded with high volume. Because of REST API setup, we don't have a forwarder pushing logs to Splunk indexer-- it's getting indexed directly from user machines. Is there any way we can just blacklist the index or source type?

Thanks

javiergn · ‎01-14-2016

Deploy the following to your indexer(s) or whatever is your next hop after the collection layer:

In props.conf:

[yoursourcetypename]
TRANSFORMS-null= setnull

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

More details here:
http://docs.splunk.com/Documentation/Splunk/6.3.2/Forwarding/Routeandfilterdatad#Filter_event_data_a...

I think you can also prefilter this in your clients if you have already specify the index name at collection time. See this: http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Routeandfilterdatad#Filter_data_by_targ...

View solution in original post

javiergn · ‎01-14-2016

Deploy the following to your indexer(s) or whatever is your next hop after the collection layer:

In props.conf:

[yoursourcetypename]
TRANSFORMS-null= setnull

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

More details here:
http://docs.splunk.com/Documentation/Splunk/6.3.2/Forwarding/Routeandfilterdatad#Filter_event_data_a...

I think you can also prefilter this in your clients if you have already specify the index name at collection time. See this: http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Routeandfilterdatad#Filter_data_by_targ...

Can I blacklist sourcetype or Index?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life