Hi,
I have a log source that is causing some problems. I think it is caused by events like this ones:
29-02-2012 18:00:58 UTC udb_persona_ingest INFO - ========= JOB COUNTERS ========
29-02-2012 18:00:58 UTC udb_persona_ingest INFO - ========= JOB COUNTERS END ========
how can I configure splunk to not index this particular event that is linked to a sourcetype.
Thanks in advanced.
Lp
Look for the section titled: Discard specific events and keep the rest on this link RouteAndFilterData
You'll just need to create a regex that matches those 2 log entries. The data will still be read and sent from a UF to the indexer, but the indexer will simply discard the messages.
Something similar to the following
props.conf on your indexer:
[your_sourcetype]
TRANSFORMS-null= discard
transforms.conf on your indexer:
[setnull]
REGEX = "=+\s(?:JOB COUNTERS|JOB COUNTERS END)\s=+"
DEST_KEY = queue
FORMAT = nullQueue
Might need to tweak the regex a bit, but that should work.
Thanks I will test it tomorrow.