Building for the Splunk Platform

How do I filter out certain messages in Splunk Cloud?


I have a data source that is very noisy, and I'd like to exclude certain messages from that source from indexing in my Splunk Cloud instance.

I see from this answer that it's possible to filter out certain messages by editing config files in a self-hosted Splunk instances. How do I accomplish the same thing in Splunk Cloud? I'm guessing that it involves adding a field transformation from the GUI, but I don't understand how to complete the form when I just want to throw away messages that match my regex.

(I don't have enough points to post a link, sorry about that)

Tags (1)
0 Karma


Basically you come up with props.conf and transforms.conf settings that get applied at index time (whether that's with the UI or by hand, either way). (if it's message that matches a Regex, you would typically have a TRANSFORMS attribute in props, pointing to a stanza in transforms.conf that when your regex matches, it sets the next Queue to the nullQueue. See the example at:

With Splunk Cloud, I'm not sure if you could log a ticket once you've developed the configuration and get them to plop your settings onto your indexers (I would think this falls into "Modifying the configuration settings of your Splunk Cloud deployment" that Splunk Support is supposed to be able to help you with per the FAQ but I'm not a Splunk Cloud customer). The alternative is where you setup a (group of) Heavy Weight (Intermediate) Forwarder(s) ... in this setup instead of having your existing forwarders send directly to Splunk Cloud, they send to the HWFs. The HWFs apply all the parsing and filtering rules, and only forwards on those that you want to. This gives you more instant control of course, with the cost of maintaining more systems and settings obviously.

Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...