https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380772#M169704 <P>For sourcetype: though they have the common sourcetype, PROD index is also using the same sourcetype. Hence, dropping the data using soucetype will drop the prod data with matching pattern. Hence this is ruled out. </P> <P>For host: the combination are too many and it is going very complex. </P> Wed, 02 May 2018 22:45:13 GMT purnavenkatesh 2018-05-02T22:45:13Z https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380768#M169700 <P>Hi,</P> <P>I need to route the index data to null-queue based on the strings from the events. For example, all the events that contain string pattern "Error" from all the QA* indexes should to routed to nullqueue. </P> <P>Doing it with host and sourcetype is very complex. Can someone suggest me with solution?</P> Wed, 02 May 2018 21:40:32 GMT https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380768#M169700 purnavenkatesh 2018-05-02T21:40:32Z https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380769#M169701 <P>Just checking - you want to drop certain events that are supposed to go to a certain index (or some indexes), and also contain a certain string?</P> Wed, 02 May 2018 21:58:05 GMT https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380769#M169701 xpac 2018-05-02T21:58:05Z https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380770#M169702 <P>yes, to be more clear.</P> <P>I want to drop all the events with string ERROR in it from set of indexes whose starting string is QA</P> Wed, 02 May 2018 22:15:05 GMT https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380770#M169702 purnavenkatesh 2018-05-02T22:15:05Z https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380771#M169703 <P>I fear that's not possible at index time, because you can only filter on either the event text OR the index name. It would be much easier if those events have a common set of source, sourcetype or host, then filtering on the event text would be easy.</P> Wed, 02 May 2018 22:28:58 GMT https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380771#M169703 xpac 2018-05-02T22:28:58Z https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380772#M169704 <P>For sourcetype: though they have the common sourcetype, PROD index is also using the same sourcetype. Hence, dropping the data using soucetype will drop the prod data with matching pattern. Hence this is ruled out. </P> <P>For host: the combination are too many and it is going very complex. </P> Wed, 02 May 2018 22:45:13 GMT https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380772#M169704 purnavenkatesh 2018-05-02T22:45:13Z https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380773#M169705 <P>Sorry, I don't have any good ideas on this that don't sound like really dirty hacks. I'd try to somehow get this organized with hosts and sourcetypes, but I can see how this can be difficult on it's own.</P> Thu, 03 May 2018 00:29:42 GMT https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380773#M169705 xpac 2018-05-03T00:29:42Z https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380774#M169706 <P>Hi @purnavenkatesh,</P> <P>Basically this <A href="http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues">splunk doc</A> answers your questions.</P> <P>You'll be matching events based on source, sourcetype, host or index in your props.conf and running a transform on that event to change it's destination index to nullQueue.</P> Thu, 03 May 2018 01:11:10 GMT https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380774#M169706 kmugglet 2018-05-03T01:11:10Z https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380775#M169707 <P>little correction here, <CODE>props.conf</CODE> stanzas cannot be applied to indexes - see the docs on <CODE>props.conf</CODE> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf</A></P> <PRE><CODE>[&lt;spec&gt;] * This stanza enables properties for a given &lt;spec&gt;. &lt;spec&gt; can be: 1. &lt;sourcetype&gt;, the source type of an event. 2. host::&lt;host&gt;, where &lt;host&gt; is the host, or host-matching pattern, for an event. 3. source::&lt;source&gt;, where &lt;source&gt; is the source, or source-matching pattern, for an event. </CODE></PRE> Thu, 03 May 2018 02:10:17 GMT https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380775#M169707 MuS 2018-05-03T02:10:17Z https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380776#M169708 <P>I tried the props stanza with index and it didn't work. Looking for other approach to achieve this. </P> Thu, 03 May 2018 02:28:06 GMT https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380776#M169708 purnavenkatesh 2018-05-03T02:28:06Z https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380777#M169709 <P>Wouldn't it be possible to follow those routing and filtering instructions and write a transforms stanza that uses <CODE>SOURCE_KEY = _MetaData:Index</CODE>, to target events for a certain index?</P> <P>So write 1 transforms that assigns everything that matches ERROR to the nullqueue, and the overrule that for events that have Index=PROD? Or something along those lines?</P> Thu, 03 May 2018 07:19:50 GMT https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380777#M169709 FrankVl 2018-05-03T07:19:50Z https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380778#M169710 <P>I thought about something similar.<BR /> Possible, but really dirty hack:</P> <UL> <LI>For all events, append the content of <CODE>index</CODE> to _raw, using a very creative separator. E.g. an event <CODE>yourtext</CODE> becomes <CODE>yourtext#&amp;#&amp;#&amp;QA_main</CODE></LI> <LI>For all events, match on a regex like <CODE>.*ERROR.*#&amp;#&amp;#&amp;QA.*</CODE> and route all events to nullQueue</LI> <LI>For all events, remove the append separator and index again.</LI> </UL> <P>That should work, because you could match ERROR and index in the same step, however it would require three steps to be performed on ALL events, which might get ressource heavy and also is dirty like hell. </P> Tue, 29 Sep 2020 19:20:31 GMT https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380778#M169710 xpac 2020-09-29T19:20:31Z https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380779#M169711 <P>doing this using host stanza.</P> Tue, 08 May 2018 22:08:54 GMT https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380779#M169711 purnavenkatesh 2018-05-08T22:08:54Z https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380780#M169712 <P>Can we use a wildcard something like below?</P> <P>[source::*]<BR /> [host::<EM>]<BR /> [</EM>]</P> Thu, 26 Sep 2019 04:29:33 GMT https://community.splunk.com/t5/Splunk-Search/need-to-route-data-to-nullqueue-based-on-index/m-p/380780#M169712 arunsunny 2019-09-26T04:29:33Z