https://community.splunk.com/t5/Getting-Data-In/Where-do-I-exclude-data-from-input/m-p/377046#M68229 <P>Hi, </P> <P>I'm sorry in advance for the really basic question but Splunk is all new to me and I couldn't find exactly what I want in the documentation.</P> <P>I have a server class (_server_app_PIA_App_Servers) that has an input to read logs from a specific application log directory (Peopletools Application Servers in this case). The logs have a lot of unimportant and repeating data and I don't want to index, mainly just things such as "checking for processes" that repeats every 5 seconds. I want to exclude this data from the index so it's not taking up unnecessary space and I'm pretty sure I need to add a props.conf and transforms.conf to do this (sending those lines to null with a transform) however I don't know WHERE to do it - do I put these in the Universal Forwarder /etc/apps/ directory for these specific servers, or do I put them on the Indexer in the DeployedApps directory and redeploy the app? </P> <P>Or somewhere else??</P> <P>Thanks!</P> <P>Grahame</P> Tue, 29 Sep 2020 22:30:01 GMT sov_gwright 2020-09-29T22:30:01Z https://community.splunk.com/t5/Getting-Data-In/Where-do-I-exclude-data-from-input/m-p/377046#M68229 <P>Hi, </P> <P>I'm sorry in advance for the really basic question but Splunk is all new to me and I couldn't find exactly what I want in the documentation.</P> <P>I have a server class (_server_app_PIA_App_Servers) that has an input to read logs from a specific application log directory (Peopletools Application Servers in this case). The logs have a lot of unimportant and repeating data and I don't want to index, mainly just things such as "checking for processes" that repeats every 5 seconds. I want to exclude this data from the index so it's not taking up unnecessary space and I'm pretty sure I need to add a props.conf and transforms.conf to do this (sending those lines to null with a transform) however I don't know WHERE to do it - do I put these in the Universal Forwarder /etc/apps/ directory for these specific servers, or do I put them on the Indexer in the DeployedApps directory and redeploy the app? </P> <P>Or somewhere else??</P> <P>Thanks!</P> <P>Grahame</P> Tue, 29 Sep 2020 22:30:01 GMT https://community.splunk.com/t5/Getting-Data-In/Where-do-I-exclude-data-from-input/m-p/377046#M68229 sov_gwright 2020-09-29T22:30:01Z https://community.splunk.com/t5/Getting-Data-In/Where-do-I-exclude-data-from-input/m-p/377047#M68230 <P>Hi sov_gwright,<BR /> parsing phase is on Indexers or on Heavy Forwarders.<BR /> Follow documentation at <A href="https://docs.splunk.com/Documentation/Splunk/7.2.1/Forwarding/Routeandfilterdatad">https://docs.splunk.com/Documentation/Splunk/7.2.1/Forwarding/Routeandfilterdatad</A> to filer your events.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 18 Dec 2018 12:50:19 GMT https://community.splunk.com/t5/Getting-Data-In/Where-do-I-exclude-data-from-input/m-p/377047#M68230 gcusello 2018-12-18T12:50:19Z https://community.splunk.com/t5/Getting-Data-In/Where-do-I-exclude-data-from-input/m-p/377048#M68231 <P>HI,</P> <P>this is set on the indexer. Depending if you have a cluster set it in /master-apps and apply a new bundle, or if standalone set it in an app/local or in system/local / or deploy it with deployment server in /deployment-apps</P> <P>Like this:</P> <P>props.conf</P> <PRE><CODE> [sourcetype] TRANSFORMS-&lt;name&gt;=&lt;name_in_transforms&gt; transforms.conf [&lt;name_in_transforms&gt;] REGEX="" DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> Tue, 18 Dec 2018 12:51:57 GMT https://community.splunk.com/t5/Getting-Data-In/Where-do-I-exclude-data-from-input/m-p/377048#M68231 dkeck 2018-12-18T12:51:57Z https://community.splunk.com/t5/Getting-Data-In/Where-do-I-exclude-data-from-input/m-p/377049#M68232 <P>Thanks, I had looked at that but the section on filtering data to null is not explicit on where to put the props and transforms files. </P> Tue, 18 Dec 2018 12:57:54 GMT https://community.splunk.com/t5/Getting-Data-In/Where-do-I-exclude-data-from-input/m-p/377049#M68232 sov_gwright 2018-12-18T12:57:54Z https://community.splunk.com/t5/Getting-Data-In/Where-do-I-exclude-data-from-input/m-p/377050#M68233 <P>Perfect, thanks! It's not a cluster, but since this app is not installed on the indexer (it's not in etc/apps/, only in etc/deployed-apps) I'll throw the files in system/local. </P> Tue, 18 Dec 2018 12:59:13 GMT https://community.splunk.com/t5/Getting-Data-In/Where-do-I-exclude-data-from-input/m-p/377050#M68233 sov_gwright 2018-12-18T12:59:13Z https://community.splunk.com/t5/Getting-Data-In/Where-do-I-exclude-data-from-input/m-p/377051#M68234 <P>There is no directory called etc/deployed-apps, only deployment-apps. Deployed apps from a deployment server are deployed to /etc/apps on the client <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> have this in mind please <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>you can also just create an app in /etc/apps/ on the indexer to contain the props and transforms in </P> <PRE><CODE>&gt; /etc/apps/&lt;app_name&gt;/local </CODE></PRE> Tue, 18 Dec 2018 13:02:09 GMT https://community.splunk.com/t5/Getting-Data-In/Where-do-I-exclude-data-from-input/m-p/377051#M68234 dkeck 2018-12-18T13:02:09Z