https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423744#M74403 <P>Don't you forget to modify your props.conf and restart splunk?</P> Wed, 30 May 2018 13:24:09 GMT artist0 2018-05-30T13:24:09Z https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423740#M74399 <P>Hello there, <BR /> i got a Catalina log and i don't want to index lines that contains one of that word: API PROXY, WARN, ERROR</P> <P>After that i want to aggregate some lines.</P> <P>I'm using a Single instance deployment of Splunk7.1.</P> <P>Can someone help me to delete the log lines?</P> <P>Thanks</P> Wed, 30 May 2018 09:50:49 GMT https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423740#M74399 marziaolla 2018-05-30T09:50:49Z https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423741#M74400 <P>Hello, try some solutions from this post:</P> <P><A href="https://answers.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk.html">https://answers.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk.html</A></P> Wed, 30 May 2018 10:09:43 GMT https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423741#M74400 artist0 2018-05-30T10:09:43Z https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423742#M74401 <P>If you want to filter the captured logs, use "nullQueue".</P> <P>Filter event data and send to queues<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad">http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad</A></P> Wed, 30 May 2018 10:14:10 GMT https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423742#M74401 HiroshiSatoh 2018-05-30T10:14:10Z https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423743#M74402 <P>I tried with this transforms.conf file </P> <PRE><CODE>[setnull] REGEX = API PROXY|WARN|ERROR DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = . DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>but it doesn't work</P> Wed, 30 May 2018 13:15:56 GMT https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423743#M74402 marziaolla 2018-05-30T13:15:56Z https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423744#M74403 <P>Don't you forget to modify your props.conf and restart splunk?</P> Wed, 30 May 2018 13:24:09 GMT https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423744#M74403 artist0 2018-05-30T13:24:09Z https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423745#M74404 <P>i've modified props.conf and restart but it still doesnt work</P> Wed, 30 May 2018 13:46:54 GMT https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423745#M74404 marziaolla 2018-05-30T13:46:54Z https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423746#M74405 <P>How is this done?</P> <PRE><CODE> [setnull] REGEX = (API PROXY|WARN|ERROR) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Wed, 30 May 2018 15:54:23 GMT https://community.splunk.com/t5/Getting-Data-In/Exclude-lines-from-log-at-input-time/m-p/423746#M74405 HiroshiSatoh 2018-05-30T15:54:23Z