Is there a way to not collect a whole sourcetype?
I do not wish to collect vmware:perf:datastore, vmware:perf:disk maybe more.
AFAIK, adding to "VM Metric Blacklist" will only not index specific metrics within a group, but not the whole group.
I suggest to filter those sourcetype using props and transforms, creating regex expression. Here is link with a sample.
https://answers.splunk.com/answers/107605/filtering-events-out-via-props-conf-and-transforms-conf.ht...
it can be something like this:
props.conf
[type_your_sourcetype_here_for-vmware]
TRANSFORMS-Filterdatastoredisk = FilterVmware
transforms.conf
[FilterVmware]
REGEX =(?msi)vmware:perf\S(datastore|disk)
DEST_KEY = queue
FORMAT = nullQueue
For the regex expression, please validate the code, it can be similar with I did, but you have to check it against your data.
For testing the regex expression, this regex on-line tool can be used: https://regex101.com/
you have to specify in your regex expression at tranforms.conf what is the counters you don't want to index, otherwise, it will through away the entire sourcetype. I believe in your case, you have to create more than one regex expression to match the counters you want to drop from indexing.
something like this:
[typeyoursourcetypeherefor-vmware]
TRANSFOMRS-Filterdatacount1=filtercount1
TRANSFOMRS-Filterdatacount1=filtercount2
transforms.conf
[filtercount1]
REGEX =(?msi)vmware:perf\S(change the regex to match the sourcetype/counter)
DEST_KEY = queue
FORMAT = nullQueue
[filtercount2]
REGEX =(?msi)vmware:perf\S(change the regex to match the sourcetype/counter)
DEST_KEY = queue
FORMAT = nullQueue
I suggest to filter those sourcetype using props and transforms, creating regex expression. Here is link with a sample.
https://answers.splunk.com/answers/107605/filtering-events-out-via-props-conf-and-transforms-conf.ht...
it can be something like this:
props.conf
[type_your_sourcetype_here_for-vmware]
TRANSFORMS-Filterdatastoredisk = FilterVmware
transforms.conf
[FilterVmware]
REGEX =(?msi)vmware:perf\S(datastore|disk)
DEST_KEY = queue
FORMAT = nullQueue
For the regex expression, please validate the code, it can be similar with I did, but you have to check it against your data.
For testing the regex expression, this regex on-line tool can be used: https://regex101.com/
While configuring the app, there are some options to blacklist. you can specify them here to be ignored and collect the rest.
As I wrote in the post, the black.white list is for specific counters, not whole type like vmware:perf:disk for host