We have logs coming in udp port 514 and want to exclude indexing events with the field "action" equaling "accept". We have tried inserting the following into the inputs.conf but does not work.
blacklist = action = "accept"
There seems no blacklist setting exist as per inputs conf - inputs.conf - Splunk Documentation
You can send the events to nullQueue to avoid indexing apply the following conf on HF/indexer.
REGEX = action\s+=\s+\"accept\"
DEST_KEY = queue
FORMAT = nullQueue
An upvote would be appreciated and accept solution if it helps!
View solution in original post
Thanks for your help! This did exactly what I was looking for.