Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to blacklist data containing specific words

bli_scs
New Member
‎06-12-2019 04:10 PM

I have found that there are lots of syslog contains "Log statistics", which is log statistic data of syslog.
Splunk could not parse it well and I do not want to index this data.

How I can blacklist it in the inputs.conf?

0 Karma
Reply

amitm05
Builder
‎06-13-2019 06:39 AM

@bli_scs

From the inputs.conf we can do the blacklisting at file or directory level. See here -
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Whitelistorblacklistspecificincomingda...

However to perform the blacklisting which is event based (on some criteria like in your case that the event contains "Log statistics"), you can use a Heavy Forwarder, which processes both the input phase and the parsing phase before forwarding.
and on your HF, you can define the filtering rule on your props.conf and transforms.conf
For defining a filtering rule, this post can help you -
https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html

Please accept as answer if this responds to your query.
Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...