Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Discard Source type

nikhilagrawal
Path Finder
‎04-19-2012 01:47 AM

I have a situation.
I have defined the source type under Deployment server- deployment app>local>prop.conf> as 

[source::.../engine-*.log]
TRANSFORMS-null=setnull

Also created under deployment app>local> tranforms.conf which includes:

[setnull]
DEST_KEY = queue
FORMAT = nullQueue

As explained link: http://docs.splunk.com/Documentation/Splunk/4.3/Deploy/Routeandfilterdatad#Filter_event_data_and_sen...

I want to discard the source type for the time being because data is not required for now but might req in future. Created a corresponding stanza in transforms.conf. Set DEST_KEY to "queue" and FORMAT to "nullQueue":
Problem: I am still getting data from that source type. Can you suggest to resolve this?

thanks

Tags (2)
0 Karma
Reply

Drainy
Champion
‎04-19-2012 02:44 AM

Do you mean source when you say sourcetype?
Did you restart after making those changes?
Also, they will only affect newly indexed data, all your old data will still persist in your index

0 Karma
Reply

nikhilagrawal
Path Finder
‎04-20-2012 06:29 AM

Can anyone suggest to my above query please?

0 Karma
Reply

nikhilagrawal
Path Finder
‎04-19-2012 08:40 AM

No It is source type named engine(in my case) and I have restarted the DS. Do I need to restart the forwarder as well? I dont mind with the existing data just want to ignore for future. I have also tried to comment out like:

[source::.../engine-*.log]

sourcetype=engine

TRANSFORMS-null= setnull

Just to check if it discard the data but still showing the indexed data.
Any suggestion?

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...