https://community.splunk.com/t5/Getting-Data-In/Filtering-out-data/m-p/463875#M99537 <P>@anandhalagarasan </P> <P>Can you please below configs?</P> <P>props.conf</P> <PRE><CODE>[YOUR_SOURCETYPE] TRANSFORMS-null= setnull </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setnull] SOURCE_KEY=_raw REGEX = (com.splunk.application) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>Note: Do change regular expression if required.</P> Mon, 21 Oct 2019 10:15:40 GMT kamlesh_vaghela 2019-10-21T10:15:40Z https://community.splunk.com/t5/Getting-Data-In/Filtering-out-data/m-p/463873#M99535 <P>Hi Team,</P> <P>We want to filter out the data during indexing time itself if the particular pattern (com.splunk.application) is captured in log. Hence kindly let us know what would be the props and transforms for the same. And the remaining data should ingest into splunk without any issues.</P> <P>Pattern: If the keyword is present "com.splunk.application" in the event then it should not be indexed. </P> <P>Sample Event:</P> <P>DEBUG 2019-10-18 18:43:32,487 [I/O marker 01] com.splunk.applicationinsights.web.url.https.implementation.xxx.client.Maininstallerprog - [ad: 1] Response <BR /> processed</P> <P>DEBUG 2019-10-18 18:43:32,487 [I/O marker 01] com.splunk.applicationinsights.web.url.https.implementation.xx.client.Internalmessage - [ex: 1] releasing connection</P> Mon, 21 Oct 2019 08:31:57 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-out-data/m-p/463873#M99535 anandhalagarasa 2019-10-21T08:31:57Z https://community.splunk.com/t5/Getting-Data-In/Filtering-out-data/m-p/463874#M99536 <P>Hi Team,</P> <P>Can you kindly help on this.</P> Mon, 21 Oct 2019 10:04:54 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-out-data/m-p/463874#M99536 anandhalagarasa 2019-10-21T10:04:54Z https://community.splunk.com/t5/Getting-Data-In/Filtering-out-data/m-p/463875#M99537 <P>@anandhalagarasan </P> <P>Can you please below configs?</P> <P>props.conf</P> <PRE><CODE>[YOUR_SOURCETYPE] TRANSFORMS-null= setnull </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setnull] SOURCE_KEY=_raw REGEX = (com.splunk.application) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>Note: Do change regular expression if required.</P> Mon, 21 Oct 2019 10:15:40 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-out-data/m-p/463875#M99537 kamlesh_vaghela 2019-10-21T10:15:40Z https://community.splunk.com/t5/Getting-Data-In/Filtering-out-data/m-p/463876#M99538 <P>Thanks kamlesh it works like a charm.</P> Mon, 21 Oct 2019 14:35:31 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-out-data/m-p/463876#M99538 anandhalagarasa 2019-10-21T14:35:31Z