Solved: Filtering out data

anandhalagarasa · ‎10-21-2019

Hi Team,

We want to filter out the data during indexing time itself if the particular pattern (com.splunk.application) is captured in log. Hence kindly let us know what would be the props and transforms for the same. And the remaining data should ingest into splunk without any issues.

Pattern: If the keyword is present "com.splunk.application" in the event then it should not be indexed.

Sample Event:

DEBUG 2019-10-18 18:43:32,487 [I/O marker 01] com.splunk.applicationinsights.web.url.https.implementation.xxx.client.Maininstallerprog - [ad: 1] Response
processed

DEBUG 2019-10-18 18:43:32,487 [I/O marker 01] com.splunk.applicationinsights.web.url.https.implementation.xx.client.Internalmessage - [ex: 1] releasing connection

kamlesh_vaghela · ‎10-21-2019

@anandhalagarasan

Can you please below configs?

props.conf

[YOUR_SOURCETYPE]
TRANSFORMS-null= setnull

transforms.conf

[setnull]
SOURCE_KEY=_raw
REGEX = (com.splunk.application)
DEST_KEY = queue
FORMAT = nullQueue

Note: Do change regular expression if required.

View solution in original post

kamlesh_vaghela · ‎10-21-2019

@anandhalagarasan

Can you please below configs?

props.conf

[YOUR_SOURCETYPE]
TRANSFORMS-null= setnull

transforms.conf

[setnull]
SOURCE_KEY=_raw
REGEX = (com.splunk.application)
DEST_KEY = queue
FORMAT = nullQueue

Note: Do change regular expression if required.

anandhalagarasa · ‎10-21-2019

Thanks kamlesh it works like a charm.

anandhalagarasa · ‎10-21-2019

Hi Team,

Can you kindly help on this.

Filtering out data

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update