Re: ignore all static content files from indexing

safe_splunk · ‎05-05-2014

Hi,

I tried props.conf and transforms.conf solution but it did not work.

props.conf

[access_combined]
pulldown_type = true
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
TRANSFORMS-set= strip_images_header

transforms.conf

[strip_images_header]
REGEX = *.jpg*
DEST_KEY = queue
FORMAT = nullQueue

But .jpg files are still indexing on access_combined sourcetype logs. What do i do wrong?
Please Help

safe_splunk · ‎05-05-2014

REGEX = (.jpg|.png|.gif|.xml|.ico|.css|.js)

ok all set thanks friends.

Ayn · ‎05-05-2014

Your regex is syntactically incorrect. You can verify here for instance: http://regexpal.com/

You probably want something like REGEX = \.jpg$

More information about regular expressions: http://www.regular-expressions.info/

martin_mueller · ‎05-05-2014

Sure, from a regex point of view that's still one expression, only slightly more complex:

REGEX = \.(jpg|png|gif)$

safe_splunk · ‎05-05-2014

All set thanks for help friends.
Last question is can i write multiple entries in one regexp line?

such as

REGEXP .jpg|.png|.gif

martin_mueller · ‎05-05-2014

If you're putting this config onto a universal forwarder then nothing's going to happen because the UF doesn't parse the input data. You need to configure this on the indexers or heavy forwarders.

safe_splunk · ‎05-05-2014

Thanks i find that out and changed it on the forwarder configs but still did not work. Now I try same config on the indexer configs. Waiting for result restart takes time too big. > 50TB.

ignore all static content files from indexing

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases