Archive
Highlighted

Is there a way to ignore certain events

Path Finder

Is there a way to ignore splunk to read certain events:

Here is a sample event that needs to be ignored:

_!================================================
_!**
$!** PROCEDURE .. : ATXXX

$!** VERSION .....: 000

$!** EXECUTION .. : 0010101

_!**
$!** SESSION .... : ATXXXX

$!** VERSION .... : 000

$!** EXECUTION .. : 0007861

_!**
_!** PROCESS DATE : 04/04/2015
_!**
_!------------------------------------------------
$!** PARAMETERS. : None

_!------------------------------------------------
_!** VARIABLES

I am not getting an idea of the exact transforms that is required.

Tags (2)
0 Karma
Highlighted

Re: Is there a way to ignore certain events

SplunkTrust
SplunkTrust

Yes, it is possible to have Splunk ignore certain events and not index them. The first step in doing so is to create a regex string that matches events you wish to ignore. Then you put that string in your transforms.conf file and direct the events to nullQueue.

---
If this reply helps you, an upvote would be appreciated.
Highlighted

Re: Is there a way to ignore certain events

Path Finder

This is my props.conf

[sourcetype]
KV_MODE = none
CHECK_FOR_HEADER = false
TRANSFORMS-commentsToNull = utracking-ignore-astericks

transforms.conf

[utracking-ignore-astericks]
REGEX = ^\$\!\*\*\s+\w+\s+\.\.\s+:\s+\w+ $
DEST_KEY = queue
FORMAT = nullQueue

But still I am unable to get the desired results of ignoring events

0 Karma
Highlighted

Re: Is there a way to ignore certain events

SplunkTrust
SplunkTrust

Your regex string does not match the sample event you provided. What are you looking for in the event that tells you to ignore it? Consider using a site like www.regex101.com to test your regex strings against your events.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Is there a way to ignore certain events

Motivator

Yes, it is possible to have Splunk ignore certain events same when it index them
use NOT to do it.
you can do

your_base_search  NOT[ search search_of _certain_events__to_ignore] 

in you case try like this:

your_base_search NOT[ search  REGEX = ^\$\!\*\*\s+\w+\s+\.\.\s+:\s+\w+ $] |....
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.