Getting Data In

Filtering sourcetype=Perfmon:Process in Indexer

ramesh_babu71
Path Finder

Hi,

I had enabled Perfmon:Process and WinNetMon events in the universal forwarders on all windows servers. However, these started sending huge number of events which is eating up my indexing license. I would like to filter out these events at the indexer until we go upgrade the license in another six months or so.

sourcetype = Perfmon:Process
sourcetype = WinNetMon

I created filtering option in props.conf and transforms.conf for filtering out events. I was successful in filtering out the WinNetMon. However Perfmon:Process events are still appearing in search.

Not sure where I'm getting this wrong. Setup: All windows windows servers have a UF which is sending events to Indexer. I'm not having access to windows servers hence my only option is to filter out events at indexer level. Please help
props.conf
[WinNetMon]
TRANSFORMS-winnetmon__nullqueue = WinNetMon_to_null

[perfmonProcess]
TRANSFORMS-Perfmon_nullqueue = Perfmon_to_null

transforms.conf
[WinNetMon_to_null]
SOURCE_KEY = MetaData:Sourcetype
REGEX = WinNetMon
DEST_KEY = queue
FORMAT = nullQueue

[Perfmon_to_null]
SOURCE_KEY = MetaData:Sourcetype
REGEX = Perfmon
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
1 Solution

muebel
SplunkTrust
SplunkTrust

Hi ramesh_babu71, You'll have to set the name of the sourcetype in your props stanza to Perfmon:Process. Currently you have perfmonProcess, which won't line up with the sourcetype you want to filter out.

Additionally, since this is a very focused transforms staza, you can have the regex be more liberal, and set it to something like (.) to have it match any event.

Please let me know if this answers your question! 😄

View solution in original post

muebel
SplunkTrust
SplunkTrust

Hi ramesh_babu71, You'll have to set the name of the sourcetype in your props stanza to Perfmon:Process. Currently you have perfmonProcess, which won't line up with the sourcetype you want to filter out.

Additionally, since this is a very focused transforms staza, you can have the regex be more liberal, and set it to something like (.) to have it match any event.

Please let me know if this answers your question! 😄

ramesh_babu71
Path Finder

Thanks that worked. 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...