Getting Data In

How can I exclude data from being ingested by the universal forwarder?

neophyte01
Engager

Hello all,

I have recently set up Splunk to monitor /var/log/messages.
There is one event in this log that I would like to exclude.
The event itself really does not matter.
I would just like to know how I can keep certain types of data
from getting into Splunk, without ignoring the files which the data comes from.

Please help.

niketnilay
Legend

@neophyte01, you can use nullQueue for this using transforms.conf and props.conf

Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_e...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

neophyte01
Engager

@niketnilay thanks. I believe this is what I need.

0 Karma

niketnilay
Legend

@neophyte01, I have converted to answer. Please accept if your issue is resolved.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

somesoni2
Revered Legend

And this will be configured on Indexer/Heavy forwarder, one to which your universal forwarder sends data to.