Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do you exclude log lines from being indexed?

krisbent
New Member
‎08-24-2017 03:37 AM

Hi, I am using Splunk 6.5.
How can I exclude lines containing a pattern from being indexed? In my case I have IIS access logs forwarded by a Universal Forwarder. I have tried to configure like this, but log lines that contains bigip is still indexed.

system/default/props.conf
[iis]
INDEXED_EXTRACTIONS = w3c

system/local/props.conf
[iis]
TRANSFORMS-null=ignorebigip

system/local/transforms.conf
[ignorebigip]
REGEX = (?m)^.(bigip)\s.$
DEST_KEY = queue
FORMAT = nullQueue

If I understand this answer https://answers.splunk.com/answers/453417/parse-iis-logs-structured-data-on-universal-forwar.html , it is not possible to send to the nullQueue when the "standard" [iis] sourcetype with INDEXED_EXTRACTIONS = w3c.

Is that true, do I really have to configure how to extract the fields the "pre-Splunk 6"-way?

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-25-2017 06:53 AM

It isn't possible to filter data using a Universal Forwarder, with the exception of Blacklisting or Whitelisting Wiindows event codes. You would need to use the props and transforms settings on the indexers, or use a Heavy Forwarder.

If using a Heavy Forwarder, you need to consider how much of the data you are actually filtering out. If it isn't a large percentage, then it isn't worth it since Heavy Forwarders send what is called "cooked data" which is larger than what a Universal Forwarder would send. So you really wouldn't be cutting back on any network traffic.

If you aren't filtering a large portion, use the Universal Forwarder and add the props.conf and transforms.conf settings to your indexers.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...