Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I filter events before they are indexed so they aren't indexed?

amit2301
New Member
‎09-26-2017 06:16 AM

I tried this solution but no success.
I am trying to filter data from being indexed.I need only the Error events

In props conf:
[source:://C:\Windows\System32\winevt\Logs]

Transforms must be applied in this order

to make sure events are dropped on the

floor prior to making their way to the

index processor

TRANSFORMS-set = setnull, setparsing

In transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = Error
DEST_KEY = queue
FORMAT = indexQueue

0 Karma
Reply

woodcock
Esteemed Legend
‎12-26-2019 12:23 PM

If you are sure that your settings are correct, it must be something else. If you are doing a sourcetype override/overwrite, you must use the ORIGINAL value, NOT the new value. You must deploy your settings to the first full instance(s) of Splunk that handle the events (usually either the HF tier if you use one, or else your Indexer tier) UNLESS you are using HEC's JSON endpoint (it gets pre-cooked) or INDEXED_EXTRACTIONS (configs go on the UF in that case), then restart all Splunk instances there. When (re)evaluating, you must send in new events (old events will stay broken), then test using _index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events.

0 Karma
Reply

vhharanpositka
Path Finder
‎12-26-2019 09:12 AM

Hi amit

I have tried the above configuration but still, I have a thought that the events in pushed to the null queue are added in the license usage. Please, someone, make sure that it won't be added in the License usage

0 Karma
Reply

gaurav_maniar
Builder
‎08-02-2019 08:05 AM

Hi Amit,

props.conf & transforms.conf configuration looks correct.

Parsing of data can only be done before indexing i.e at Forwarder side.
So you need to put these conf files on Forwarder instance, and it should be a Heavy Forwarder.

Please upvote and accept the answer if it solves your issue.

Happy Splunking !!!

0 Karma
Reply

rashi83
Path Finder
‎08-02-2019 08:08 AM

As per the above link, filtering can be done on Indexer level as well.

Isn't correct ?

0 Karma
Reply

gaurav_maniar
Builder
‎08-02-2019 08:16 AM

Yes, but most of the time using Universal Forwarder and parsing at Indexer causes issues.

0 Karma
Reply

rashi83
Path Finder
‎08-02-2019 08:18 AM

Can you elaborate what are such issues?

We have a situation where we do not control forwarders and there is huge amount of unwanted logs coming and outgrowing the licenses. We have a demand to control such logs are Indexer level.

0 Karma
Reply

rashi83
Path Finder
‎08-02-2019 07:14 AM

Can you please confirm location of props.conf and transform.conf ? I am trying to filter the events on Indexer as I do not have access to forwarders.

0 Karma
Reply

sbbadri
Motivator
‎09-26-2017 10:28 AM

@amit2301
Your props.conf and transforms.conf seems correct.

Please double check you have proper regex for indexQueue. Also check you must place your props.conf and transforms.conf on the indexer or heavy forwarder.

Also go through below link for further details,
http://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...