Hi Team,
We want to filter out the data during indexing time itself if the particular pattern (com.splunk.application) is captured in log. Hence kindly let us know what would be the props and transforms for the same. And the remaining data should ingest into splunk without any issues.
Pattern: If the keyword is present "com.splunk.application" in the event then it should not be indexed.
Sample Event:
DEBUG 2019-10-18 18:43:32,487 [I/O marker 01] com.splunk.applicationinsights.web.url.https.implementation.xxx.client.Maininstallerprog - [ad: 1] Response
processed
DEBUG 2019-10-18 18:43:32,487 [I/O marker 01] com.splunk.applicationinsights.web.url.https.implementation.xx.client.Internalmessage - [ex: 1] releasing connection
@anandhalagarasan
Can you please below configs?
props.conf
[YOUR_SOURCETYPE]
TRANSFORMS-null= setnull
transforms.conf
[setnull]
SOURCE_KEY=_raw
REGEX = (com.splunk.application)
DEST_KEY = queue
FORMAT = nullQueue
Note: Do change regular expression if required.
@anandhalagarasan
Can you please below configs?
props.conf
[YOUR_SOURCETYPE]
TRANSFORMS-null= setnull
transforms.conf
[setnull]
SOURCE_KEY=_raw
REGEX = (com.splunk.application)
DEST_KEY = queue
FORMAT = nullQueue
Note: Do change regular expression if required.
Thanks kamlesh it works like a charm.
Hi Team,
Can you kindly help on this.