https://community.splunk.com/t5/Getting-Data-In/Search-Head-filter-data-from-Backend/m-p/488753#M83640 <P>are you just a user of splunk or are you the splunk admin? filtering data before indexing is doable and not terribly complicated, but it's not button clicks either. And it's helpful to have an understanding of how Splunk works, which isn't often the case with new users.</P> <P>I would recommend reading this article: <A href="https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F">https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F</A><BR /> And if that makes enough sense, then check out splunk's docs on routing: <A href="https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad">https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad</A></P> <P>That said...assuming that you do want to filter data before it is indexed, the data is coming from a universal forwarder, going to an indexer, has a sourcetype of "xyz" and contains the literal text "user=NYZ", then try putting these settings on your indexer(s).</P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[xyz] TRANSFORMS-keep_nyz_only = send_to_null_queue, keep_nyz </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[send_to_null_queue] REGEX = . DEST_KEY = queue FORMAT = nullQueue [keep_nyz] REGEX = user=NYZ DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>The concept here is that when data comes to the indexer with a sourcetype of xyz, splunk is configured to transform that data twice. The first thing we do is set all of the data to be destined for the null queue (deleted). Next, we go back and reset any events with that user to be destined for the indexQueue (to be indexed). </P> Sat, 18 Jan 2020 14:05:08 GMT maciep 2020-01-18T14:05:08Z https://community.splunk.com/t5/Getting-Data-In/Search-Head-filter-data-from-Backend/m-p/488750#M83637 <P>Hello Team,</P> <P>I am in New Splunk,</P> <P>I am have Search head where I am applying Some filter like </P> <P><STRONG>index=xyz sourcetype=xyz User=*NYZ</STRONG>*</P> <P>So this User=<EM>NYZ</EM> filter , i want splunk do it for myself while getting indexed,so basically i want filter index data rather then complete data of users i am filter data to be shown for index XYZ in backend</P> <P>expected output without Filter should be seeen all NYZ Users</P> Fri, 17 Jan 2020 18:37:14 GMT https://community.splunk.com/t5/Getting-Data-In/Search-Head-filter-data-from-Backend/m-p/488750#M83637 mailtosnsolutio 2020-01-17T18:37:14Z https://community.splunk.com/t5/Getting-Data-In/Search-Head-filter-data-from-Backend/m-p/488751#M83638 <P>so basically you want to only send the data to the index based upon that user?</P> Fri, 17 Jan 2020 19:54:08 GMT https://community.splunk.com/t5/Getting-Data-In/Search-Head-filter-data-from-Backend/m-p/488751#M83638 jscraig2006 2020-01-17T19:54:08Z https://community.splunk.com/t5/Getting-Data-In/Search-Head-filter-data-from-Backend/m-p/488752#M83639 <P>Yes ,please</P> Sat, 18 Jan 2020 07:05:11 GMT https://community.splunk.com/t5/Getting-Data-In/Search-Head-filter-data-from-Backend/m-p/488752#M83639 mailtosnsolutio 2020-01-18T07:05:11Z https://community.splunk.com/t5/Getting-Data-In/Search-Head-filter-data-from-Backend/m-p/488753#M83640 <P>are you just a user of splunk or are you the splunk admin? filtering data before indexing is doable and not terribly complicated, but it's not button clicks either. And it's helpful to have an understanding of how Splunk works, which isn't often the case with new users.</P> <P>I would recommend reading this article: <A href="https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F">https://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F</A><BR /> And if that makes enough sense, then check out splunk's docs on routing: <A href="https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad">https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad</A></P> <P>That said...assuming that you do want to filter data before it is indexed, the data is coming from a universal forwarder, going to an indexer, has a sourcetype of "xyz" and contains the literal text "user=NYZ", then try putting these settings on your indexer(s).</P> <P><STRONG>props.conf</STRONG></P> <PRE><CODE>[xyz] TRANSFORMS-keep_nyz_only = send_to_null_queue, keep_nyz </CODE></PRE> <P><STRONG>transforms.conf</STRONG></P> <PRE><CODE>[send_to_null_queue] REGEX = . DEST_KEY = queue FORMAT = nullQueue [keep_nyz] REGEX = user=NYZ DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>The concept here is that when data comes to the indexer with a sourcetype of xyz, splunk is configured to transform that data twice. The first thing we do is set all of the data to be destined for the null queue (deleted). Next, we go back and reset any events with that user to be destined for the indexQueue (to be indexed). </P> Sat, 18 Jan 2020 14:05:08 GMT https://community.splunk.com/t5/Getting-Data-In/Search-Head-filter-data-from-Backend/m-p/488753#M83640 maciep 2020-01-18T14:05:08Z