https://community.splunk.com/t5/Getting-Data-In/DATA-filtering-using-Heavy-forwarders/m-p/313375#M58734 <P>You will want to look at the documentation here:</P> <P><A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest">http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> <P>Essentially you will want to route the unwanted data to the nullqueue.</P> Tue, 28 Nov 2017 14:20:29 GMT jcrabb_splunk 2017-11-28T14:20:29Z https://community.splunk.com/t5/Getting-Data-In/DATA-filtering-using-Heavy-forwarders/m-p/313374#M58733 <P>i was tyring to filter a set of data to indexer by filtering out few data and below are the sample logs and configurations:</P> <P>Here trying to pass only category_id=FLOWERS to the indexer and ignore GIFTS events. <BR /> sample log:</P> <P>177.23.21.50 - - [24/Jul/2014:03:42:00] "GET /flower_store/category.screen?category_id=GIFTS HTTP/1.1" 200 10591 "<A href="http://mystore.splunk.com/flower_store/main%5C%5C.screen&amp;JSESSIONID=SD2SL2FF7ADFF5" target="_blank">http://mystore.splunk.com/flower_store/main\\.screen&amp;JSESSIONID=SD2SL2FF7ADFF5</A>" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 2035 1226</P> <P>233.77.49.46 - - [24/Jul/2014:03:41:46] "GET /flower_store/product.screen?product_id=K9-BD-01 HTTP/1.1" 200 10560 "<A href="http://mystore.splunk.com/flower_store/category.screen?category_id=GIFTS&amp;JSESSIONID=SD2SL2FF7ADFF5" target="_blank">http://mystore.splunk.com/flower_store/category.screen?category_id=GIFTS&amp;JSESSIONID=SD2SL2FF7ADFF5</A>" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 661 1822</P> <P>177.23.21.50 - - [24/Jul/2014:03:42:00] "GET /flower_store/category.screen?category_id=FLOWERSHTTP/1.1" 200 10591 "<A href="http://mystore.splunk.com/flower_store/main%5C%5C.screen&amp;JSESSIONID=SD2SL2FF7ADFF5" target="_blank">http://mystore.splunk.com/flower_store/main\\.screen&amp;JSESSIONID=SD2SL2FF7ADFF5</A>" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.10) Gecko/20070223 CentOS/1.5.0.10-0.1.el4.centos Firefox/1.5.0.10" 2035 1226</P> <P>Configuration:<BR /> <STRONG>inputs.conf</STRONG></P> <P>[monitor:///opt/log/willwork.log]<BR /> sourcetype = access_common<BR /> index=heavy</P> <P><STRONG>outputs.conf</STRONG> </P> <P>[tcpout]<BR /> defaultGroup = my_search_peers<BR /> forwardedindex.filter.disable = true<BR /> indexAndForward = false</P> <P>[tcpout:my_search_peers]<BR /> server=indexerip:9997</P> <P>[monitor:///opt/log/willwork.log]<BR /> sourcetype = access_common<BR /> index=heavy</P> <P><STRONG>props.conf</STRONG><BR /> [access-combine]<BR /> TRANSFORMS-routing=accessrouting</P> <P><STRONG>transforms.conf</STRONG><BR /> [accessrouting]<BR /> REGEX=FLOWERS<BR /> DEST_KEY=_TCP_ROUTING<BR /> FORMAT=my_search_peers</P> <P>data is getting indexer but GIFTS even is also getting indexed</P> Tue, 29 Sep 2020 17:01:36 GMT https://community.splunk.com/t5/Getting-Data-In/DATA-filtering-using-Heavy-forwarders/m-p/313374#M58733 Venkat_16 2020-09-29T17:01:36Z https://community.splunk.com/t5/Getting-Data-In/DATA-filtering-using-Heavy-forwarders/m-p/313375#M58734 <P>You will want to look at the documentation here:</P> <P><A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest">http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> <P>Essentially you will want to route the unwanted data to the nullqueue.</P> Tue, 28 Nov 2017 14:20:29 GMT https://community.splunk.com/t5/Getting-Data-In/DATA-filtering-using-Heavy-forwarders/m-p/313375#M58734 jcrabb_splunk 2017-11-28T14:20:29Z