Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Splunk App For VMware. DCN. avoid collecting some ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to not collect a whole sourcetype?
I do not wish to collect vmware:perf:datastore, vmware:perf:disk maybe more.
AFAIK, adding to "VM Metric Blacklist" will only not index specific metrics within a group, but not the whole group.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suggest to filter those sourcetype using props and transforms, creating regex expression. Here is link with a sample.
https://answers.splunk.com/answers/107605/filtering-events-out-via-props-conf-and-transforms-conf.ht...
it can be something like this:
props.conf
[type_your_sourcetype_here_for-vmware]
TRANSFORMS-Filterdatastoredisk = FilterVmware
transforms.conf
[FilterVmware]
REGEX =(?msi)vmware:perf\S(datastore|disk)
DEST_KEY = queue
FORMAT = nullQueue
For the regex expression, please validate the code, it can be similar with I did, but you have to check it against your data.
For testing the regex expression, this regex on-line tool can be used: https://regex101.com/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you have to specify in your regex expression at tranforms.conf what is the counters you don't want to index, otherwise, it will through away the entire sourcetype. I believe in your case, you have to create more than one regex expression to match the counters you want to drop from indexing.
something like this:
[typeyoursourcetypeherefor-vmware]
TRANSFOMRS-Filterdatacount1=filtercount1
TRANSFOMRS-Filterdatacount1=filtercount2
transforms.conf
[filtercount1]
REGEX =(?msi)vmware:perf\S(change the regex to match the sourcetype/counter)
DEST_KEY = queue
FORMAT = nullQueue
[filtercount2]
REGEX =(?msi)vmware:perf\S(change the regex to match the sourcetype/counter)
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suggest to filter those sourcetype using props and transforms, creating regex expression. Here is link with a sample.
https://answers.splunk.com/answers/107605/filtering-events-out-via-props-conf-and-transforms-conf.ht...
it can be something like this:
props.conf
[type_your_sourcetype_here_for-vmware]
TRANSFORMS-Filterdatastoredisk = FilterVmware
transforms.conf
[FilterVmware]
REGEX =(?msi)vmware:perf\S(datastore|disk)
DEST_KEY = queue
FORMAT = nullQueue
For the regex expression, please validate the code, it can be similar with I did, but you have to check it against your data.
For testing the regex expression, this regex on-line tool can be used: https://regex101.com/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
While configuring the app, there are some options to blacklist. you can specify them here to be ignored and collect the rest.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I wrote in the post, the black.white list is for specific counters, not whole type like vmware:perf:disk for host
CX Day is Coming!
Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!
Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console
