Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I exclude data from being ingested by the universal forwarder?

neophyte01
Engager
‎11-22-2017 09:39 AM

Hello all,

I have recently set up Splunk to monitor /var/log/messages.
There is one event in this log that I would like to exclude.
The event itself really does not matter.
I would just like to know how I can keep certain types of data
from getting into Splunk, without ignoring the files which the data comes from.

Please help.

Reply

niketnilay
Legend
‎11-22-2017 12:18 PM

@neophyte01, you can use nullQueue for this using transforms.conf and props.conf

Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_e...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

neophyte01
Engager
‎11-27-2017 08:24 AM

@niketnilay thanks. I believe this is what I need.

0 Karma
Reply

niketnilay
Legend
‎11-30-2017 06:52 AM

@neophyte01, I have converted to answer. Please accept if your issue is resolved.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

somesoni2
Revered Legend
‎11-22-2017 12:28 PM

And this will be configured on Indexer/Heavy forwarder, one to which your universal forwarder sends data to.

Reply
The Latest From the Splunk Community!