https://community.splunk.com/t5/Getting-Data-In/Trying-to-filter-ESXi-before-being-indexed/m-p/315990#M59131 <P>hey</P> <P>So you want to keep specific event and discard the rest.<BR /> follow this steps to do that : same is written in the doc as well <BR /> <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest">http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> <P><STRONG>step 1:</STRONG> Edit props.conf and add the following:you will do this on /local/props.conf of the same path i.e. <CODE>/opt/splunk/etc/app/&lt;appname&gt;/local</CODE></P> <PRE><CODE>[&lt;specify_sourcetype_name&gt;] TRANSFORMS-set= setnull,setparsing </CODE></PRE> <P><STRONG>step 2:</STRONG> Edit transforms.conf and add the following:</P> <PRE><CODE>[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = dfwpktlogs DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P><STRONG>step 3:</STRONG> Restart Splunk Enterprise.</P> <P>Also, now you want to set the retention period of 1 month i.e. 30 days</P> <P>so find that index in mostly in <CODE>/opt/splunk/etc/&lt;appname&gt;/default/indexes.conf</CODE> and copy the stanza in <CODE>local/indexes.conf</CODE></P> <P>and add this attribute to that stanza</P> <PRE><CODE>frozenTimePeriodInSecs = 2592000 </CODE></PRE> <P>Find more information in indexes.conf and props.conf</P> <P>Let me know if it helps !</P> Mon, 15 Jan 2018 18:09:56 GMT mayurr98 2018-01-15T18:09:56Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-filter-ESXi-before-being-indexed/m-p/315989#M59130 <P>Not sure if this is possible on a single server instance of a Splunk setup but I have all my ESXi logs forwarding to my Splunk server over TCP:1514. I did some digging and found references to the props.conf file and adding a regex filter there. So I did some digging and found multiple copies of this config file but I think (and tell me if I am wrong here) that I need to modify the copy found under:<BR /> \etc\system\local</P> <P>If that is the case I just need some guidance no how to filter out everything but logs that contain the string "dfwpktlogs"</P> <P>I am trying to filter out the rest of the logs as ESXi is very chatty and it eats into the license and I have to set the index it feeds into to only keep logs for a month because it just fills up so fast. </P> Mon, 15 Jan 2018 17:14:41 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-filter-ESXi-before-being-indexed/m-p/315989#M59130 snix 2018-01-15T17:14:41Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-filter-ESXi-before-being-indexed/m-p/315990#M59131 <P>hey</P> <P>So you want to keep specific event and discard the rest.<BR /> follow this steps to do that : same is written in the doc as well <BR /> <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest">http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> <P><STRONG>step 1:</STRONG> Edit props.conf and add the following:you will do this on /local/props.conf of the same path i.e. <CODE>/opt/splunk/etc/app/&lt;appname&gt;/local</CODE></P> <PRE><CODE>[&lt;specify_sourcetype_name&gt;] TRANSFORMS-set= setnull,setparsing </CODE></PRE> <P><STRONG>step 2:</STRONG> Edit transforms.conf and add the following:</P> <PRE><CODE>[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = dfwpktlogs DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P><STRONG>step 3:</STRONG> Restart Splunk Enterprise.</P> <P>Also, now you want to set the retention period of 1 month i.e. 30 days</P> <P>so find that index in mostly in <CODE>/opt/splunk/etc/&lt;appname&gt;/default/indexes.conf</CODE> and copy the stanza in <CODE>local/indexes.conf</CODE></P> <P>and add this attribute to that stanza</P> <PRE><CODE>frozenTimePeriodInSecs = 2592000 </CODE></PRE> <P>Find more information in indexes.conf and props.conf</P> <P>Let me know if it helps !</P> Mon, 15 Jan 2018 18:09:56 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-filter-ESXi-before-being-indexed/m-p/315990#M59131 mayurr98 2018-01-15T18:09:56Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-filter-ESXi-before-being-indexed/m-p/315991#M59132 <P>@mayurr98, thank you for the detailed post. I am still a Splunk novice so I just need to clarify a couple things before I make the change in production. </P> <P>The proper path for the props.conf file if I am not using a specific app for our ESXi logs will be <BR /> <CODE>/opt/splunk/etc/app/search/local</CODE>?</P> <P>Also according to the link, you provided it mentions putting the setting you provided at the top of the prop.config file. Just wanted to verify the location where I put the settings in the file matters. </P> Mon, 15 Jan 2018 23:33:57 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-filter-ESXi-before-being-indexed/m-p/315991#M59132 snix 2018-01-15T23:33:57Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-filter-ESXi-before-being-indexed/m-p/315992#M59133 <P>Okay just testing the suggested settings and just made sure to put the new settings at the top of the props.config file and did a restart and it worked! </P> <P>Thank you for your help!</P> Tue, 16 Jan 2018 00:22:44 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-filter-ESXi-before-being-indexed/m-p/315992#M59133 snix 2018-01-16T00:22:44Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-filter-ESXi-before-being-indexed/m-p/315993#M59134 <P>yes you are right./opt/splunk/etc/system/local/ defines the global path. you should make changes to /app//local is a best practice.</P> Tue, 16 Jan 2018 08:18:59 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-filter-ESXi-before-being-indexed/m-p/315993#M59134 mayurr98 2018-01-16T08:18:59Z