<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to Remove the data getting indexed? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-Remove-the-data-getting-indexed/m-p/462557#M85895</link>
    <description>&lt;P&gt;Thanks @gcusello can you help me at a configuration level what changes has to be made to stop selective data getting indexed?&lt;/P&gt;</description>
    <pubDate>Wed, 01 Apr 2020 08:54:09 GMT</pubDate>
    <dc:creator>Inayath_khan</dc:creator>
    <dc:date>2020-04-01T08:54:09Z</dc:date>
    <item>
      <title>How to Remove the data getting indexed?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-Remove-the-data-getting-indexed/m-p/462555#M85893</link>
      <description>&lt;P&gt;Hi Folks,&lt;/P&gt;

&lt;P&gt;Can anyone suggest how to remove the below data getting indexed to indexer and also how to remove the data which is already indexed?&lt;/P&gt;

&lt;P&gt;timestamp syslog_host user remote_host connection_id query_id operation database object&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 04:48:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-Remove-the-data-getting-indexed/m-p/462555#M85893</guid>
      <dc:creator>Inayath_khan</dc:creator>
      <dc:date>2020-09-30T04:48:10Z</dc:date>
    </item>
    <item>
      <title>Re: How to Remove the data getting indexed?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-Remove-the-data-getting-indexed/m-p/462556#M85894</link>
      <description>&lt;P&gt;Hi @Inayath_khan,&lt;BR /&gt;
Splunk isn't a database, so you cannot modify or remove data after indexing:&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;You can filter data deleting them before indexing ( &lt;A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad"&gt;https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad&lt;/A&gt; ), in this way data aren't indexed and don't consume license;&lt;/LI&gt;
&lt;LI&gt;you can replace a part of events ( &lt;A href="https://docs.splunk.com/Documentation/SplunkCloud/8.0.2001/Data/Anonymizedata"&gt;https://docs.splunk.com/Documentation/SplunkCloud/8.0.2001/Data/Anonymizedata&lt;/A&gt; );&lt;/LI&gt;
&lt;LI&gt;you can logically delete events using the &lt;CODE&gt;| delete&lt;/CODE&gt; command; remember that the &lt;CODE&gt;can_delete&lt;/CODE&gt; feature, by default, isn't available for all users, even if admins (and it isn't a good idea to enable admins to do this!); this command deletes events but only logically, bacause physically events remain in the index.&lt;/LI&gt;
&lt;LI&gt;clean a full index by CLI, in this case deletion is also physical.&lt;/LI&gt;
&lt;/UL&gt;

&lt;P&gt;Ciao.&lt;BR /&gt;
Giuseppe&lt;/P&gt;</description>
      <pubDate>Wed, 01 Apr 2020 08:25:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-Remove-the-data-getting-indexed/m-p/462556#M85894</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2020-04-01T08:25:32Z</dc:date>
    </item>
    <item>
      <title>Re: How to Remove the data getting indexed?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-Remove-the-data-getting-indexed/m-p/462557#M85895</link>
      <description>&lt;P&gt;Thanks @gcusello can you help me at a configuration level what changes has to be made to stop selective data getting indexed?&lt;/P&gt;</description>
      <pubDate>Wed, 01 Apr 2020 08:54:09 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-Remove-the-data-getting-indexed/m-p/462557#M85895</guid>
      <dc:creator>Inayath_khan</dc:creator>
      <dc:date>2020-04-01T08:54:09Z</dc:date>
    </item>
    <item>
      <title>Re: How to Remove the data getting indexed?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-Remove-the-data-getting-indexed/m-p/462558#M85896</link>
      <description>&lt;P&gt;Hi &lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/67837"&gt;@Inayath_khan&lt;/a&gt;,&lt;BR /&gt;
as described at &lt;A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues&lt;/A&gt; , you can filter data before indexing in two ways:&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;take all the data and delete some identified events,&lt;/LI&gt;
&lt;LI&gt;delete all the data and take identified events.&lt;/LI&gt;
&lt;/UL&gt;

&lt;P&gt;In both cases you have to follow these steps:&lt;/P&gt;

&lt;UL&gt;
&lt;LI&gt;identify events to filter (sourcetype or source or host);&lt;/LI&gt;
&lt;LI&gt;identify rule to discard or take logs (regex);&lt;/LI&gt;
&lt;LI&gt;modify props.conf and transforms.conf on indexers or (when present) on Heavy Forwarders;&lt;/LI&gt;
&lt;LI&gt;put props.conf and transforms.conf in an App (better) or in $SPLUNK_HOME/etc/system/local .&lt;/LI&gt;
&lt;/UL&gt;

&lt;P&gt;&lt;STRONG&gt;Discard specific events and keep the rest:&lt;/STRONG&gt;&lt;BR /&gt;
In &lt;STRONG&gt;props.conf&lt;/STRONG&gt;, set the TRANSFORMS-null attribute:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[your_sourcetype]
TRANSFORMS-null= setnull
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;in &lt;STRONG&gt;transforms.conf&lt;/STRONG&gt;, set DEST_KEY to "queue" and FORMAT to "nullQueue":&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[setnull]
REGEX = your_regex
DEST_KEY = queue
FORMAT = nullQueue
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;At the end restart Splunk Enterprise.&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;Keep specific events and discard the rest&lt;/STRONG&gt;&lt;BR /&gt;
In &lt;STRONG&gt;props.conf&lt;/STRONG&gt;:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[your_sourcetype]
TRANSFORMS-set= setnull,setparsing
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;In &lt;STRONG&gt;transforms.conf&lt;/STRONG&gt;:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = your-regex
DEST_KEY = queue
FORMAT = indexQueue
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;At the end restart Splunk Enterprise.&lt;/P&gt;

&lt;P&gt;Ciao.&lt;BR /&gt;
Giuseppe&lt;/P&gt;</description>
      <pubDate>Wed, 30 Sep 2020 04:48:11 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-Remove-the-data-getting-indexed/m-p/462558#M85896</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2020-09-30T04:48:11Z</dc:date>
    </item>
  </channel>
</rss>

