Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Exclude Sourcetype from being indexed

himapate
Explorer
‎01-17-2017 12:21 AM

How do i exclude paticular sourcetype from being indexed at my indexer end
Or is there any method to stop them at forwarder end

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-17-2017 12:26 AM

Hi himapate,
you can stop ingestion inserting disabled=1 in each stanza of your sourcetype in your forwarders inputs.conf, this is easy if you have not many Forwarders or a Deployment Server.

Otherwise, if you want to filter them on the indexers, you have to insert:
in props.conf

[your_sourcetype]
TRANSFORMS-set-nullqueue=set_nullqueue

and in transforms.conf

[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

and restart Splunk

When you want to disable filter, you have only to comment (#) the TRANSFORMS command in props.conf (obviously restarting Splunk!).

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-17-2017 12:26 AM

Hi himapate,
you can stop ingestion inserting disabled=1 in each stanza of your sourcetype in your forwarders inputs.conf, this is easy if you have not many Forwarders or a Deployment Server.

Otherwise, if you want to filter them on the indexers, you have to insert:
in props.conf

[your_sourcetype]
TRANSFORMS-set-nullqueue=set_nullqueue

and in transforms.conf

[set_nullqueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue

and restart Splunk

When you want to disable filter, you have only to comment (#) the TRANSFORMS command in props.conf (obviously restarting Splunk!).

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...