<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Structured data (TSV) configured on UNiversal Forwarder with Transform applied on Indexer in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Structured-data-TSV-configured-on-UNiversal-Forwarder-with/m-p/317565#M59381</link>
    <description>&lt;P&gt;I added the transforms to the Universal Forwarder to send the unwanted stuff to the nullQueue and it is now working as I need it to.  I didn't think that would work (even on structured data) but it seems that it does.&lt;/P&gt;

&lt;P&gt;thank you!&lt;/P&gt;</description>
    <pubDate>Thu, 20 Jul 2017 17:57:20 GMT</pubDate>
    <dc:creator>gn694</dc:creator>
    <dc:date>2017-07-20T17:57:20Z</dc:date>
    <item>
      <title>Structured data (TSV) configured on UNiversal Forwarder with Transform applied on Indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Structured-data-TSV-configured-on-UNiversal-Forwarder-with/m-p/317563#M59379</link>
      <description>&lt;P&gt;I have some TSV files that I am forwarding with a Universal Forwarder.&lt;BR /&gt;
I have props.conf configured on the UF with the following for the sourcetype:&lt;BR /&gt;
FIELD_DELIMITER = \t&lt;BR /&gt;
HEADER_FIELD_LINE_NUMBER = 1&lt;/P&gt;

&lt;P&gt;That has worked great.  But now I have a need to drop some events so they do not get indexed.&lt;BR /&gt;
On the Indexer I have configured the following for the sourcetype in props.conf:&lt;BR /&gt;
[]&lt;BR /&gt;
TRANSFORMS-null = drop_batchrequests&lt;BR /&gt;
...and in transforms.conf:&lt;BR /&gt;
[drop_batchrequests]&lt;BR /&gt;
REGEX = batchRequest&lt;BR /&gt;
DEST_KEY = queue&lt;BR /&gt;
FORMAT = nullQueue&lt;/P&gt;

&lt;P&gt;At first it was not working, I was still getting events that contain batchRequest.  So I temporarily removed the structured data configuration on the Universal Forwarder (shown above) and the transform worked as desired - batchRequest events were no longer indexed.... But now the tsv format and field recognition was not there...&lt;/P&gt;

&lt;P&gt;So I tried to configure everything in one place.  On the Indexer I specified the structured data config in props.conf using FIELD_DELIMITER and FIELD_NAMES (since I can't use HEADER_FIELD_LINE_NUMBER on the Inedxer.)  The result of that was the batchRequests events were not indexed, but the fields (from the header row) still were not extracted.&lt;/P&gt;

&lt;P&gt;Am I doing something wrong?  Or is there some reason why these configurations (TSV/structured data field recognition and dropping certain events to the nullQueue) on the same sourcetype will not work together?  I can get each to work independently - but not together.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 14:57:22 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Structured-data-TSV-configured-on-UNiversal-Forwarder-with/m-p/317563#M59379</guid>
      <dc:creator>gn694</dc:creator>
      <dc:date>2020-09-29T14:57:22Z</dc:date>
    </item>
    <item>
      <title>Re: Structured data (TSV) configured on UNiversal Forwarder with Transform applied on Indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Structured-data-TSV-configured-on-UNiversal-Forwarder-with/m-p/317564#M59380</link>
      <description>&lt;P&gt;Hi gn694, &lt;/P&gt;

&lt;P&gt;Try configuring the INDEXED_EXTRACTIONS props and the filtering on the UF. Structured data is the only data that a UF can complete filtering on. &lt;/P&gt;

&lt;P&gt;This should be helpful in this scenario:&lt;/P&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Caveats_for_routing_and_filtering_structured_data"&gt;http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Caveats_for_routing_and_filtering_structured_data&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 19 Jul 2017 23:28:04 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Structured-data-TSV-configured-on-UNiversal-Forwarder-with/m-p/317564#M59380</guid>
      <dc:creator>mattymo</dc:creator>
      <dc:date>2017-07-19T23:28:04Z</dc:date>
    </item>
    <item>
      <title>Re: Structured data (TSV) configured on UNiversal Forwarder with Transform applied on Indexer</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Structured-data-TSV-configured-on-UNiversal-Forwarder-with/m-p/317565#M59381</link>
      <description>&lt;P&gt;I added the transforms to the Universal Forwarder to send the unwanted stuff to the nullQueue and it is now working as I need it to.  I didn't think that would work (even on structured data) but it seems that it does.&lt;/P&gt;

&lt;P&gt;thank you!&lt;/P&gt;</description>
      <pubDate>Thu, 20 Jul 2017 17:57:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Structured-data-TSV-configured-on-UNiversal-Forwarder-with/m-p/317565#M59381</guid>
      <dc:creator>gn694</dc:creator>
      <dc:date>2017-07-20T17:57:20Z</dc:date>
    </item>
  </channel>
</rss>

