Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filtering sourcetype=Perfmon:Process in Indexer

ramesh_babu71
Path Finder
‎03-27-2017 05:26 AM

Hi,

I had enabled Perfmon:Process and WinNetMon events in the universal forwarders on all windows servers. However, these started sending huge number of events which is eating up my indexing license. I would like to filter out these events at the indexer until we go upgrade the license in another six months or so.

sourcetype = Perfmon:Process
sourcetype = WinNetMon

I created filtering option in props.conf and transforms.conf for filtering out events. I was successful in filtering out the WinNetMon. However Perfmon:Process events are still appearing in search.

Not sure where I'm getting this wrong. Setup: All windows windows servers have a UF which is sending events to Indexer. I'm not having access to windows servers hence my only option is to filter out events at indexer level. Please help
props.conf
[WinNetMon]
TRANSFORMS-winnetmon__nullqueue = WinNetMon_to_null

[perfmonProcess]
TRANSFORMS-Perfmon_nullqueue = Perfmon_to_null

transforms.conf
[WinNetMon_to_null]
SOURCE_KEY = MetaData:Sourcetype
REGEX = WinNetMon
DEST_KEY = queue
FORMAT = nullQueue

[Perfmon_to_null]
SOURCE_KEY = MetaData:Sourcetype
REGEX = Perfmon
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎03-27-2017 08:18 AM

Hi ramesh_babu71, You'll have to set the name of the sourcetype in your props stanza to Perfmon:Process. Currently you have perfmonProcess, which won't line up with the sourcetype you want to filter out.

Additionally, since this is a very focused transforms staza, you can have the regex be more liberal, and set it to something like (.) to have it match any event.

Please let me know if this answers your question! 😄

View solution in original post

Reply
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎03-27-2017 08:18 AM

Hi ramesh_babu71, You'll have to set the name of the sourcetype in your props stanza to Perfmon:Process. Currently you have perfmonProcess, which won't line up with the sourcetype you want to filter out.

Additionally, since this is a very focused transforms staza, you can have the regex be more liberal, and set it to something like (.) to have it match any event.

Please let me know if this answers your question! 😄

Reply
Solved! Jump to solution

ramesh_babu71
Path Finder
‎03-28-2017 08:26 AM

Thanks that worked. 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...