https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9216#M21 <P>This example only includes things that contain 'login' and drops everthing else. Another use case would be to take in everything and make an exception for nosie you want filtered out. </P> <P>The inverse to accept all except anything with the word 'info' would require just one stanza in transforms.conf:</P> <PRE><CODE>[setnull] REGEX = info DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Fri, 09 Apr 2010 02:56:36 GMT dskillman 2010-04-09T02:56:36Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9213#M18 <P>i have a data source that is very noisy, and i only want to index specific events from it, not all of them. for example, i only want to index logins and logouts, or login failures. how do i do this?</P> Fri, 15 Jan 2010 07:45:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9213#M18 piebob 2010-01-15T07:45:28Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9214#M19 <P>This is done by defining a regex to match the necessary event(s) and send everything else to <CODE>nullqueue</CODE></P> <P>Here is a basic example that will drop everything except events that contain the string <CODE>login</CODE></P> <P><CODE>props.conf</CODE></P> <PRE><CODE>[source::/var/log/foo] # Transforms must be applied in this order # to make sure events are dropped on the # floor prior to making their way to the # index processor TRANSFORMS-set = setnull, setparsing </CODE></PRE> <P><CODE>In transforms.conf</CODE></P> <PRE><CODE>[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = login DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> Fri, 15 Jan 2010 08:01:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9214#M19 matt 2010-01-15T08:01:09Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9215#M20 <P>I prefer to use the regex (?=) to match anything. The regex . won't match if the field you're checking against happens to be empty, for example. Though this doesn't happen with the default _raw field, other fields can be empty.</P> Fri, 15 Jan 2010 09:10:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9215#M20 gkanapathy 2010-01-15T09:10:11Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9216#M21 <P>This example only includes things that contain 'login' and drops everthing else. Another use case would be to take in everything and make an exception for nosie you want filtered out. </P> <P>The inverse to accept all except anything with the word 'info' would require just one stanza in transforms.conf:</P> <PRE><CODE>[setnull] REGEX = info DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Fri, 09 Apr 2010 02:56:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9216#M21 dskillman 2010-04-09T02:56:36Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9217#M22 <P>See this post:</P> <P><A href="http://answers.splunk.com/questions/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk" rel="nofollow">http://answers.splunk.com/questions/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk</A></P> <P>=========</P> <P>This is done by defining a regex to match the necessary event(s) and send everything else to nullqueue</P> <P>Here is a basic example that will drop everything except events that contain the string login </P> <P>In props.conf:</P> <PRE><CODE>[source::/var/log/foo] # Transforms must be applied in this order # to make sure events are dropped on the # floor prior to making their way to the # index processor TRANSFORMS-set= setnull,setparsing </CODE></PRE> <P>In transforms.conf</P> <PRE><CODE>[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = login DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> Fri, 30 Apr 2010 05:56:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9217#M22 Simeon 2010-04-30T05:56:25Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9218#M23 <P>I gotta ask. What is that "5." in the code boxes. I am thinking it is a typo, but then again when it comes to configuration files, code, syntax and such one never know. I am trying to exclude some log entries with specific strings and it is not working yet, so then I think "well what is that 5. for" <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 04 May 2016 13:15:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9218#M23 geoeldsul 2016-05-04T13:15:18Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9219#M24 <P>The 5 is a line count for the pasted data. Not relevant for actual usage in the config files.</P> Mon, 09 May 2016 02:50:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9219#M24 esix_splunk 2016-05-09T02:50:01Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9220#M25 <P>I downvoted this post because recursive. the link under "see this post" points back to this question.</P> Wed, 16 Aug 2017 14:26:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9220#M25 reswob4 2017-08-16T14:26:44Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9221#M26 <P>I tried this solution but no success.<BR /> I am trying to filter data from being indexed.I need only the Error events</P> <P>In props conf:<BR /> [source:://C:\Windows\System32\winevt\Logs]</P> <H1>Transforms must be applied in this order</H1> <H1>to make sure events are dropped on the</H1> <H1>floor prior to making their way to the</H1> <H1>index processor</H1> <P>TRANSFORMS-set = setnull, setparsing</P> <P>In transforms.conf: <BR /> [setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue<BR /> [setparsing]<BR /> REGEX = Error<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> Tue, 29 Sep 2020 15:52:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9221#M26 amit2301 2020-09-29T15:52:14Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9222#M27 <P>I've also tried this but it doesn't work.</P> <UL> <LI>Could you clarify the location of the Props.conf and Transforms.conf files? There are several in the Splunk file system so it could be that I've modified the wrong ones?</LI> </UL> Wed, 31 Oct 2018 09:55:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9222#M27 kalpeshkhetanil 2018-10-31T09:55:43Z https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9223#M28 <P>Correction: Works perfectly.</P> <P>Issue is that I wasn't searching in the right time range. </P> Wed, 22 Jan 2020 17:17:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-i-exclude-some-events-from-being-indexed-by-Splunk/m-p/9223#M28 ifeldshteyn 2020-01-22T17:17:55Z