Archive

Is there a way to ignore certain events

Path Finder

Is there a way to ignore splunk to read certain events:

Here is a sample event that needs to be ignored:

_!================================================
_!**
$!** PROCEDURE .. : ATXXX

$!** VERSION .....: 000

$!** EXECUTION .. : 0010101

_!**
$!** SESSION .... : ATXXXX

$!** VERSION .... : 000

$!** EXECUTION .. : 0007861

_!**
_!** PROCESS DATE : 04/04/2015
_!**
_!------------------------------------------------
$!** PARAMETERS. : None

_!------------------------------------------------
_!** VARIABLES

I am not getting an idea of the exact transforms that is required.

Tags (2)
0 Karma

Motivator

Yes, it is possible to have Splunk ignore certain events same when it index them
use NOT to do it.
you can do

your_base_search  NOT[ search search_of _certain_events__to_ignore] 

in you case try like this:

your_base_search NOT[ search  REGEX = ^\$\!\*\*\s+\w+\s+\.\.\s+:\s+\w+ $] |....
0 Karma

SplunkTrust
SplunkTrust

Yes, it is possible to have Splunk ignore certain events and not index them. The first step in doing so is to create a regex string that matches events you wish to ignore. Then you put that string in your transforms.conf file and direct the events to nullQueue.

---
If this reply helps you, an upvote would be appreciated.

Path Finder

This is my props.conf

[sourcetype]
KV_MODE = none
CHECK_FOR_HEADER = false
TRANSFORMS-commentsToNull = utracking-ignore-astericks

transforms.conf

[utracking-ignore-astericks]
REGEX = ^\$\!\*\*\s+\w+\s+\.\.\s+:\s+\w+ $
DEST_KEY = queue
FORMAT = nullQueue

But still I am unable to get the desired results of ignoring events

0 Karma

SplunkTrust
SplunkTrust

Your regex string does not match the sample event you provided. What are you looking for in the event that tells you to ignore it? Consider using a site like www.regex101.com to test your regex strings against your events.

---
If this reply helps you, an upvote would be appreciated.
0 Karma