Getting Data In

How can I exclude data from being ingested by the universal forwarder?

Engager

Hello all,

I have recently set up Splunk to monitor /var/log/messages.
There is one event in this log that I would like to exclude.
The event itself really does not matter.
I would just like to know how I can keep certain types of data
from getting into Splunk, without ignoring the files which the data comes from.

Please help.

Legend

@neophyte01, you can use nullQueue for this using transforms.conf and props.conf

Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_e...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Engager

@niketnilay thanks. I believe this is what I need.

0 Karma

Legend

@neophyte01, I have converted to answer. Please accept if your issue is resolved.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Revered Legend

And this will be configured on Indexer/Heavy forwarder, one to which your universal forwarder sends data to.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!