+1 vote
in DevOps Culture by
How do I exclude some events from being indexed by Splunk?

1 Answer

0 votes
by

This can be done by defining a regex to match the necessary event(s) and sending everything else to NullQueue. Here is a basic example that will drop everything except events that contain the string login:

In props.conf:

<code>[source::/var/log/foo]

# Transforms must be applied in this order

# to make sure events are dropped on the

# floor prior to making their way to the

# index processor

TRANSFORMS-set= setnull,setparsing

</code>

In transforms.conf:

[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue

[setparsing]

REGEX = login

DEST_KEY = queue

FORMAT = indexQueue

Related questions

0 votes
asked Nov 21, 2022 in DevOps Culture by Robin
+2 votes
asked Nov 24, 2022 in DevOps Culture by Robin
...