https://community.splunk.com/t5/Getting-Data-In/How-can-I-exclude-data-from-being-ingested-by-the-universal/m-p/301852#M57025 <P>@neophyte01, you can use <CODE>nullQueue</CODE> for this using <CODE>transforms.conf</CODE> and <CODE>props.conf</CODE></P> <P>Refer to documentation: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest">http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest</A></P> Wed, 22 Nov 2017 20:18:01 GMT niketn 2017-11-22T20:18:01Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-exclude-data-from-being-ingested-by-the-universal/m-p/301851#M57024 <P>Hello all, </P> <P>I have recently set up Splunk to monitor /var/log/messages.<BR /> There is one event in this log that I would like to exclude. <BR /> The event itself really does not matter.<BR /> I would just like to know how I can keep certain types of data<BR /> from getting into Splunk, without ignoring the files which the data comes from.</P> <P>Please help.</P> Wed, 22 Nov 2017 17:39:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-exclude-data-from-being-ingested-by-the-universal/m-p/301851#M57024 neophyte01 2017-11-22T17:39:15Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-exclude-data-from-being-ingested-by-the-universal/m-p/301852#M57025 <P>@neophyte01, you can use <CODE>nullQueue</CODE> for this using <CODE>transforms.conf</CODE> and <CODE>props.conf</CODE></P> <P>Refer to documentation: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest">http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest</A></P> Wed, 22 Nov 2017 20:18:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-exclude-data-from-being-ingested-by-the-universal/m-p/301852#M57025 niketn 2017-11-22T20:18:01Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-exclude-data-from-being-ingested-by-the-universal/m-p/301853#M57026 <P>And this will be configured on Indexer/Heavy forwarder, one to which your universal forwarder sends data to.</P> Wed, 22 Nov 2017 20:28:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-exclude-data-from-being-ingested-by-the-universal/m-p/301853#M57026 somesoni2 2017-11-22T20:28:54Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-exclude-data-from-being-ingested-by-the-universal/m-p/301854#M57027 <P>@niketnilay thanks. I believe this is what I need. </P> Mon, 27 Nov 2017 16:24:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-exclude-data-from-being-ingested-by-the-universal/m-p/301854#M57027 neophyte01 2017-11-27T16:24:49Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-exclude-data-from-being-ingested-by-the-universal/m-p/301855#M57028 <P>@neophyte01, I have converted to answer. Please accept if your issue is resolved.</P> Thu, 30 Nov 2017 14:52:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-exclude-data-from-being-ingested-by-the-universal/m-p/301855#M57028 niketn 2017-11-30T14:52:59Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-exclude-data-from-being-ingested-by-the-universal/m-p/589272#M103358 <P>We have an outside scanning agency that is constantly doing nmap like scans of our external perimeter.&nbsp; It is generating a log of log data on the perimeter CISCO firewalls.&nbsp;&nbsp; We know the IPs that the scanning is coming from; is there a way to tell the forwarders to NOT forward that log data from the firewalls for those IPs?</P><P>Thanks for any insights on this.&nbsp; Our Splunk SME are looking at CRIBL to do this but reading this thread makes me believe there are configuration settings that might address this?</P><P>V/R</P><P>Bob M.</P> Wed, 16 Mar 2022 12:04:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-exclude-data-from-being-ingested-by-the-universal/m-p/589272#M103358 bobmorning 2022-03-16T12:04:26Z