Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you exclude log lines from being indexed?

krisbent
New Member
‎08-24-2017 03:37 AM

Hi, I am using Splunk 6.5.
How can I exclude lines containing a pattern from being indexed? In my case I have IIS access logs forwarded by a Universal Forwarder. I have tried to configure like this, but log lines that contains bigip is still indexed.

system/default/props.conf
[iis]
INDEXED_EXTRACTIONS = w3c

system/local/props.conf
[iis]
TRANSFORMS-null=ignorebigip

system/local/transforms.conf
[ignorebigip]
REGEX = (?m)^.(bigip)\s.$
DEST_KEY = queue
FORMAT = nullQueue

If I understand this answer https://answers.splunk.com/answers/453417/parse-iis-logs-structured-data-on-universal-forwar.html , it is not possible to send to the nullQueue when the "standard" [iis] sourcetype with INDEXED_EXTRACTIONS = w3c.

Is that true, do I really have to configure how to extract the fields the "pre-Splunk 6"-way?

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎08-25-2017 06:53 AM

It isn't possible to filter data using a Universal Forwarder, with the exception of Blacklisting or Whitelisting Wiindows event codes. You would need to use the props and transforms settings on the indexers, or use a Heavy Forwarder.

If using a Heavy Forwarder, you need to consider how much of the data you are actually filtering out. If it isn't a large percentage, then it isn't worth it since Heavy Forwarders send what is called "cooked data" which is larger than what a Universal Forwarder would send. So you really wouldn't be cutting back on any network traffic.

If you aren't filtering a large portion, use the Universal Forwarder and add the props.conf and transforms.conf settings to your indexers.

Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...