https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465858#M131207 <P>Hi,</P> <P>I want to know if there is some mechanism by which i can stop indexing a particular kind of data like if<BR /> segment_name="Enforced segment"</P> <P>From getting indexed. </P> <P>My inputs.conf has following entry</P> <P>[monitor:///opt/splunk/logs/check/<EM>/</EM>.log]<BR /> disabled = 0<BR /> host_segment = 5<BR /> sourcetype = check_logs<BR /> index = check</P> <P>here i dont want those lines to get indexed if any of the log files has this pattern in it (segment_name="Enforced segment")</P> <P>Is it possible ?</P> <P>Thanks</P> Wed, 30 Sep 2020 04:51:38 GMT surekhasplunk 2020-09-30T04:51:38Z https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465858#M131207 <P>Hi,</P> <P>I want to know if there is some mechanism by which i can stop indexing a particular kind of data like if<BR /> segment_name="Enforced segment"</P> <P>From getting indexed. </P> <P>My inputs.conf has following entry</P> <P>[monitor:///opt/splunk/logs/check/<EM>/</EM>.log]<BR /> disabled = 0<BR /> host_segment = 5<BR /> sourcetype = check_logs<BR /> index = check</P> <P>here i dont want those lines to get indexed if any of the log files has this pattern in it (segment_name="Enforced segment")</P> <P>Is it possible ?</P> <P>Thanks</P> Wed, 30 Sep 2020 04:51:38 GMT https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465858#M131207 surekhasplunk 2020-09-30T04:51:38Z https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465859#M131208 <P>Yes, add these configurations and check:</P> <P>props.conf</P> <PRE><CODE>[check_logs] TRANSFORMS-null_queue = data_nullq </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[data_nullq] DEST_KEY = queue REGEX = segment_name=\"Enforced segment\" FORMAT = nullQueue </CODE></PRE> Thu, 02 Apr 2020 08:56:00 GMT https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465859#M131208 manjunathmeti 2020-04-02T08:56:00Z https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465860#M131209 <P>Hi @manjunathmeti ,</P> <P>thanks for quick reply</P> <P>Only modification i did is i added like below for REGEX <BR /> REGEX = (segment_name=Enforced segment)</P> <P>This will work right ? since i dont have that double quotes just equalto symbol is there.</P> Thu, 02 Apr 2020 09:36:12 GMT https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465860#M131209 surekhasplunk 2020-04-02T09:36:12Z https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465861#M131210 <P>yes, this will work.</P> Thu, 02 Apr 2020 09:37:51 GMT https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465861#M131210 manjunathmeti 2020-04-02T09:37:51Z https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465862#M131211 <P>Thanks @manjunathmeti,</P> <P>I have one more query if you are aware how to confirm that those have started going to the nullqueue?<BR /> where can i check to get an confirmation that they are now going to the null queue</P> Thu, 02 Apr 2020 09:45:37 GMT https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465862#M131211 surekhasplunk 2020-04-02T09:45:37Z https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465863#M131212 <P>Check: index=_internal sourcetype=splunkd component=metrics processor=nullqueue group=pipeline</P> Thu, 02 Apr 2020 09:56:07 GMT https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465863#M131212 manjunathmeti 2020-04-02T09:56:07Z https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465864#M131213 <P>Thanks a lot ..<BR /> For now am not seeing anything related to my configuration change. but i think will something soon ..</P> Thu, 02 Apr 2020 10:33:24 GMT https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465864#M131213 surekhasplunk 2020-04-02T10:33:24Z https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465865#M131214 <P>Hi @manjunathmeti ,</P> <P>Now the issue is they are getting blocked but other indexes are also effected by this change dont know why</P> Fri, 03 Apr 2020 08:23:30 GMT https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465865#M131214 surekhasplunk 2020-04-03T08:23:30Z https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465866#M131215 <P>If you are using same sourcetype name for other indexes or monitors then this chnage will affect them. You can set unique sourcetype to this monitor or change stanza in propsc.conf as below:</P> <PRE><CODE>[source::/opt/splunk/logs/check/*.log] TRANSFORMS-null_queue = data_nullq </CODE></PRE> Fri, 03 Apr 2020 08:27:21 GMT https://community.splunk.com/t5/Splunk-Search/how-to-not-index-some-data-or-send-it-to-null-queue/m-p/465866#M131215 manjunathmeti 2020-04-03T08:27:21Z