All Apps and Add-ons

Splunk App For VMware. DCN. avoid collecting some data

splunk0
Path Finder

Is there a way to not collect a whole sourcetype?
I do not wish to collect vmware:perf:datastore, vmware:perf:disk maybe more.
AFAIK, adding to "VM Metric Blacklist" will only not index specific metrics within a group, but not the whole group.

0 Karma
1 Solution

ivanreis
Builder

I suggest to filter those sourcetype using props and transforms, creating regex expression. Here is link with a sample.
https://answers.splunk.com/answers/107605/filtering-events-out-via-props-conf-and-transforms-conf.ht...

it can be something like this:

props.conf

[type_your_sourcetype_here_for-vmware]
TRANSFORMS-Filterdatastoredisk = FilterVmware

transforms.conf
[FilterVmware]
REGEX =(?msi)vmware:perf\S(datastore|disk)
DEST_KEY = queue
FORMAT = nullQueue

For the regex expression, please validate the code, it can be similar with I did, but you have to check it against your data.
For testing the regex expression, this regex on-line tool can be used: https://regex101.com/

View solution in original post

ivanreis
Builder

you have to specify in your regex expression at tranforms.conf what is the counters you don't want to index, otherwise, it will through away the entire sourcetype. I believe in your case, you have to create more than one regex expression to match the counters you want to drop from indexing.

something like this:

[typeyoursourcetypeherefor-vmware]
TRANSFOMRS-Filterdatacount1=filtercount1

TRANSFOMRS-Filterdatacount1=filtercount2

transforms.conf

[filtercount1]
REGEX =(?msi)vmware:perf\S(change the regex to match the sourcetype/counter)
DEST_KEY = queue
FORMAT = nullQueue

[filtercount2]
REGEX =(?msi)vmware:perf\S(change the regex to match the sourcetype/counter)
DEST_KEY = queue
FORMAT = nullQueue

0 Karma

ivanreis
Builder

I suggest to filter those sourcetype using props and transforms, creating regex expression. Here is link with a sample.
https://answers.splunk.com/answers/107605/filtering-events-out-via-props-conf-and-transforms-conf.ht...

it can be something like this:

props.conf

[type_your_sourcetype_here_for-vmware]
TRANSFORMS-Filterdatastoredisk = FilterVmware

transforms.conf
[FilterVmware]
REGEX =(?msi)vmware:perf\S(datastore|disk)
DEST_KEY = queue
FORMAT = nullQueue

For the regex expression, please validate the code, it can be similar with I did, but you have to check it against your data.
For testing the regex expression, this regex on-line tool can be used: https://regex101.com/

pruthvikrishnap
Contributor

While configuring the app, there are some options to blacklist. you can specify them here to be ignored and collect the rest.

0 Karma

splunk0
Path Finder

As I wrote in the post, the black.white list is for specific counters, not whole type like vmware:perf:disk for host

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...