https://community.splunk.com/t5/Getting-Data-In/Is-there-an-easy-way-to-disable-indexing-for-a-source-instead-of/m-p/205330#M40521 <P>Is there specific data in that source that is considered "garbage"? With the use of regular expressions you can usually dynamically filter out portions of events or even entire events from being indexed.</P> Thu, 09 Jun 2016 19:05:05 GMT ryanoconnor 2016-06-09T19:05:05Z https://community.splunk.com/t5/Getting-Data-In/Is-there-an-easy-way-to-disable-indexing-for-a-source-instead-of/m-p/205329#M40520 <P>There are some situations in which we know that a certain source is going to be creating a lot of garbage data since we're running a test. So it would be ideal if we could disable indexing on this source so that we don't have to sort through all the garbage and so that the garbage isn't counted toward the license usage. I've looked into filtering to a nullQueue, and that's an option. However, it seems like somewhat of a hassle to modify two conf files any time I want to stop indexing. Has anyone run into a better way of doing this or a way to make it easier? Thanks!</P> Thu, 09 Jun 2016 13:35:35 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-an-easy-way-to-disable-indexing-for-a-source-instead-of/m-p/205329#M40520 bbrubaker 2016-06-09T13:35:35Z https://community.splunk.com/t5/Getting-Data-In/Is-there-an-easy-way-to-disable-indexing-for-a-source-instead-of/m-p/205330#M40521 <P>Is there specific data in that source that is considered "garbage"? With the use of regular expressions you can usually dynamically filter out portions of events or even entire events from being indexed.</P> Thu, 09 Jun 2016 19:05:05 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-an-easy-way-to-disable-indexing-for-a-source-instead-of/m-p/205330#M40521 ryanoconnor 2016-06-09T19:05:05Z https://community.splunk.com/t5/Getting-Data-In/Is-there-an-easy-way-to-disable-indexing-for-a-source-instead-of/m-p/205331#M40522 <P>It's more that certain tests that are run on the server create logs that would usually be useful, but when these tests are run it creates a lot of them that we don't really need. So it would be ideal if we could just turn off indexing for the source that these logs come from.</P> Thu, 09 Jun 2016 19:29:59 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-an-easy-way-to-disable-indexing-for-a-source-instead-of/m-p/205331#M40522 bbrubaker 2016-06-09T19:29:59Z https://community.splunk.com/t5/Getting-Data-In/Is-there-an-easy-way-to-disable-indexing-for-a-source-instead-of/m-p/205332#M40523 <P>Having never seen the logs and not knowing much about the process here, I'll just ask if it is possible to differentiate your test case in anyway? I'll give you some high level suggestions:</P> <UL> <LI>Can you run tests from a test host? </LI> <LI>Can you output test logs to a different file than in production?</LI> <LI>Do the test events contain any other unique data (test users, etc.)?</LI> </UL> <P>One other suggestion would be If you only wanted to modify one file, you could change the inputs.conf file to route data to a different sourcetype when you're testing and have that sourcetype always being sent to the nullQueue. </P> Thu, 09 Jun 2016 19:41:32 GMT https://community.splunk.com/t5/Getting-Data-In/Is-there-an-easy-way-to-disable-indexing-for-a-source-instead-of/m-p/205332#M40523 ryanoconnor 2016-06-09T19:41:32Z