Solved: Splunk Add-on for ServiceNow: How to exclude logs ...

Log_wrangler · ‎03-02-2018

Looking for a conf example and some advice on limiting API calls to not include events where a field contains or does not contain a certain value.

So my first question is:
When I configure ... /etc/apps/Splunk_TA_snow/local inputs.conf to "filter" will that discard events NOT containing the specified values from being indexed AND from the API call? I am thinking it should be filter_data = url="/*" to GET and index only events with a url that starts with "/"...

Can anyone share an example using the "Excluded properties" option excluding events with a field "url" (from [snow://syslog_transaction] where the value does not contain a url starting "/"?

Thank you

deepashri_123 · ‎03-05-2018

Hey Log_wrangler,

You can refer to the doc below:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Forwarding/Routeandfilterdatad#Discard_specific_ev...

View solution in original post

deepashri_123 · ‎03-05-2018

Hey Log_wrangler,

You can refer to the doc below:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Forwarding/Routeandfilterdatad#Discard_specific_ev...

Log_wrangler · ‎03-08-2018

Thank you for the link, I was actually trying to use the snow ta conf only.

deepashri_123 · ‎03-08-2018

If that helped you can accept the answer 🙂

Splunk Add-on for ServiceNow: How to exclude logs where URL field values does not begin with a "/"?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation