<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Exclude Process ID or application from Indexing in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Exclude-Process-ID-or-application-from-Indexing/m-p/97788#M20388</link>
    <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;We have a need to exclude unwanted events from indexing. The problem is the majority of them are windows file access events which we need to monitor.&lt;/P&gt;

&lt;P&gt;What i need to know is if we can exclude eventlogs from indexing based on a process ID or the application running them.&lt;/P&gt;

&lt;P&gt;The backup is causing lots of unnecessary events that need excluding.&lt;/P&gt;</description>
    <pubDate>Wed, 17 Jul 2013 10:35:04 GMT</pubDate>
    <dc:creator>howardevak</dc:creator>
    <dc:date>2013-07-17T10:35:04Z</dc:date>
    <item>
      <title>Exclude Process ID or application from Indexing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Exclude-Process-ID-or-application-from-Indexing/m-p/97788#M20388</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;We have a need to exclude unwanted events from indexing. The problem is the majority of them are windows file access events which we need to monitor.&lt;/P&gt;

&lt;P&gt;What i need to know is if we can exclude eventlogs from indexing based on a process ID or the application running them.&lt;/P&gt;

&lt;P&gt;The backup is causing lots of unnecessary events that need excluding.&lt;/P&gt;</description>
      <pubDate>Wed, 17 Jul 2013 10:35:04 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Exclude-Process-ID-or-application-from-Indexing/m-p/97788#M20388</guid>
      <dc:creator>howardevak</dc:creator>
      <dc:date>2013-07-17T10:35:04Z</dc:date>
    </item>
    <item>
      <title>Re: Exclude Process ID or application from Indexing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Exclude-Process-ID-or-application-from-Indexing/m-p/97789#M20389</link>
      <description>&lt;P&gt;The answer to your question is &lt;STRONG&gt;yes&lt;/STRONG&gt;. In Splunk, this is called filtering. Filtering is performed as the input data is parsed. Usually this happens on the indexer (unless you are using a heavy forwarder).&lt;/P&gt;

&lt;P&gt;Here is a link to the relevant bit of documentation: &lt;A href="http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Routeandfilterdatad#Filter_event_data_and_send_to_queues"&gt;Route and filter data&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;Here are some similar questions at answers.splunk.com, which show examples that may be useful to you&lt;/P&gt;

&lt;P&gt;&lt;A href="http://splunk-base.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk"&gt;How do I exclude some events from being indexed by Splunk?&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;&lt;A href="http://splunk-base.splunk.com/answers/1888/How-do-I-configure-Splunk-to-filter-out-events-I-don%E2%80%99t-want-to-index%3F"&gt;How do I configure Splunk to filter out events I don't want to index?&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;Hopefully this will help. Feel free to ask more specific questions if you need more details.&lt;/P&gt;</description>
      <pubDate>Thu, 18 Jul 2013 00:19:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Exclude-Process-ID-or-application-from-Indexing/m-p/97789#M20389</guid>
      <dc:creator>lguinn2</dc:creator>
      <dc:date>2013-07-18T00:19:41Z</dc:date>
    </item>
    <item>
      <title>Re: Exclude Process ID or application from Indexing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Exclude-Process-ID-or-application-from-Indexing/m-p/97790#M20390</link>
      <description>&lt;P&gt;Many thanks for your reply Iguinn,&lt;/P&gt;

&lt;P&gt;However my problem is this.&lt;/P&gt;

&lt;P&gt;I need to index read and write events (which we are currently) but I want to exclude read and write events logged by a particular process (the backup application) &lt;/P&gt;

&lt;P&gt;at the moment the backup application is accounting for 95% of all indexed items and there is no requirement for us to keep those indexed. &lt;/P&gt;

&lt;P&gt;Can you help further ? &lt;/P&gt;

&lt;P&gt;Kind Regards,&lt;/P&gt;

&lt;P&gt;Howard&lt;/P&gt;</description>
      <pubDate>Wed, 24 Jul 2013 09:59:29 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Exclude-Process-ID-or-application-from-Indexing/m-p/97790#M20390</guid>
      <dc:creator>howardevak</dc:creator>
      <dc:date>2013-07-24T09:59:29Z</dc:date>
    </item>
    <item>
      <title>Re: Exclude Process ID or application from Indexing</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Exclude-Process-ID-or-application-from-Indexing/m-p/97791#M20391</link>
      <description>&lt;P&gt;What do the events look like? What is the sourcetype and the format? What uniquely identifies these events?&lt;/P&gt;

&lt;P&gt;Also, have you considered setting the Windows application log to exclude these events? If Windows isn't logging the details, then Splunk won't either.&lt;/P&gt;</description>
      <pubDate>Wed, 24 Jul 2013 18:58:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Exclude-Process-ID-or-application-from-Indexing/m-p/97791#M20391</guid>
      <dc:creator>lguinn2</dc:creator>
      <dc:date>2013-07-24T18:58:21Z</dc:date>
    </item>
  </channel>
</rss>

