[source::.../engine-*.log]

nikhilagrawal · ‎04-19-2012

I have a situation.
I have defined the source type under Deployment server- deployment app>local>prop.conf> as

[source::.../engine-*.log]
TRANSFORMS-null=setnull

Also created under deployment app>local> tranforms.conf which includes:

[setnull]
DEST_KEY = queue
FORMAT = nullQueue

As explained link: http://docs.splunk.com/Documentation/Splunk/4.3/Deploy/Routeandfilterdatad#Filter_event_data_and_sen...

I want to discard the source type for the time being because data is not required for now but might req in future. Created a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":
Problem: I am still getting data from that source type. Can you suggest to resolve this?

thanks

Drainy · ‎04-19-2012

Do you mean source when you say sourcetype?
Did you restart after making those changes?
Also, they will only affect newly indexed data, all your old data will still persist in your index

nikhilagrawal · ‎04-20-2012

Can anyone suggest to my above query please?

nikhilagrawal · ‎04-19-2012

No It is source type named engine(in my case) and I have restarted the DS. Do I need to restart the forwarder as well? I dont mind with the existing data just want to ignore for future. I have also tried to comment out like:

[source::.../engine-*.log]

sourcetype=engine

TRANSFORMS-null= setnull

Just to check if it discard the data but still showing the indexed data.
Any suggestion?

Discard Source type

[source::.../engine-*.log]

sourcetype=engine

TRANSFORMS-null= setnull

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases