Getting Data In

Do not index some events from a log source...

lpolo
Motivator

Hi,

I have a log source that is causing some problems. I think it is caused by events like this ones:

29-02-2012 18:00:58 UTC udb_persona_ingest INFO - ========= JOB COUNTERS ======== 
29-02-2012 18:00:58 UTC udb_persona_ingest INFO - ========= JOB COUNTERS END ======== 

how can I configure splunk to not index this particular event that is linked to a sourcetype.

Thanks in advanced.
Lp

Tags (1)
0 Karma

mikelanghorst
Motivator

Look for the section titled: Discard specific events and keep the rest on this link RouteAndFilterData

You'll just need to create a regex that matches those 2 log entries. The data will still be read and sent from a UF to the indexer, but the indexer will simply discard the messages.

Something similar to the following
props.conf on your indexer:
[your_sourcetype]
TRANSFORMS-null= discard

transforms.conf on your indexer:
[setnull]
REGEX = "=+\s(?:JOB COUNTERS|JOB COUNTERS END)\s=+"
DEST_KEY = queue
FORMAT = nullQueue

Might need to tweak the regex a bit, but that should work.

lpolo
Motivator

Thanks I will test it tomorrow.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...