Getting Data In

Can I blacklist sourcetype or Index?

Path Finder

We have client logs getting indexed using Rest API and our license is overloaded with high volume. Because of REST API setup, we don't have a forwarder pushing logs to Splunk indexer-- it's getting indexed directly from user machines. Is there any way we can just blacklist the index or source type?

Thanks

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Deploy the following to your indexer(s) or whatever is your next hop after the collection layer:

In props.conf:

[yoursourcetypename]
TRANSFORMS-null= setnull

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

More details here:
http://docs.splunk.com/Documentation/Splunk/6.3.2/Forwarding/Routeandfilterdatad#Filter_event_data_a...

I think you can also prefilter this in your clients if you have already specify the index name at collection time. See this: http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Routeandfilterdatad#Filter_data_by_targ...

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Deploy the following to your indexer(s) or whatever is your next hop after the collection layer:

In props.conf:

[yoursourcetypename]
TRANSFORMS-null= setnull

In transforms.conf:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

More details here:
http://docs.splunk.com/Documentation/Splunk/6.3.2/Forwarding/Routeandfilterdatad#Filter_event_data_a...

I think you can also prefilter this in your clients if you have already specify the index name at collection time. See this: http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Routeandfilterdatad#Filter_data_by_targ...

View solution in original post

0 Karma