Getting Data In

Automatically reject data when timestamp could not be assigned

guilmxm
Influencer

Hi All,

Does anyone knows a way to automatically reject data when Splunk could not identify event timestamp ?

My goal is to radically prevent inconsistent data to be indexed, if the timestamp could not be identified then this should be considered as an anomaly and the data would be sent to nullqueue (for example) instead of being indexed.

Is that possible ?

Thanks for your help

Guilhem

0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

You can create 2 transforms to apply to your data in this order :

  • the first one drop all the events to nullQueue
  • the second look for a regex matching a valid timestamp pattern, and send them back to the indexQueue.

Read this guide "Keep_specific_events_and_discard_the_rest"
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_even... can add a nullQueue filter that looks for a particular pattern of timestamp, and drop the events it's missing one.
PS : it will happen after the linebreaking and event merging.

View solution in original post

yannK
Splunk Employee
Splunk Employee

You can create 2 transforms to apply to your data in this order :

  • the first one drop all the events to nullQueue
  • the second look for a regex matching a valid timestamp pattern, and send them back to the indexQueue.

Read this guide "Keep_specific_events_and_discard_the_rest"
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_even... can add a nullQueue filter that looks for a particular pattern of timestamp, and drop the events it's missing one.
PS : it will happen after the linebreaking and event merging.

guilmxm
Influencer

Hi Yann,
Thanks, that's in deed the way to proceed

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...