Getting Data In

How can I exclude data from being ingested by the universal forwarder?

Engager

Hello all,

I have recently set up Splunk to monitor /var/log/messages.
There is one event in this log that I would like to exclude.
The event itself really does not matter.
I would just like to know how I can keep certain types of data
from getting into Splunk, without ignoring the files which the data comes from.

Please help.

Legend

@neophyte01, you can use nullQueue for this using transforms.conf and props.conf

Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_e...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Engager

@niketnilay thanks. I believe this is what I need.

0 Karma

Legend

@neophyte01, I have converted to answer. Please accept if your issue is resolved.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Revered Legend

And this will be configured on Indexer/Heavy forwarder, one to which your universal forwarder sends data to.

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!