Solved: Re: How to exclude a sourcetype from being indexed...

skoelpin · ‎07-29-2015

I have a forwarder on 3 different servers which grabs all the data coming from those servers. There is 1 specific sourcetype and source both called 'WinEventLog:Application' which we do not want indexed.

Where in the forwarder do I exclude this source/sourcetype from being indexed?

woodcock · ‎07-29-2015

The answer by @somesoni2 should work and is the proper way to do it because it stops the forwarders from doing work that is not necessary which this alternate solution does not do. The solution below will have the forwarders send the data in and then the indexers will trash all events for the undesirable sourcetype:

In props.conf do this:

[WinEventLog:Application]
TRANSFORMS-remove_events = remove_events

In transforms.conf do this:

[remove_events]
REGEX = *
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

woodcock · ‎07-29-2015

The answer by @somesoni2 should work and is the proper way to do it because it stops the forwarders from doing work that is not necessary which this alternate solution does not do. The solution below will have the forwarders send the data in and then the indexers will trash all events for the undesirable sourcetype:

In props.conf do this:

[WinEventLog:Application]
TRANSFORMS-remove_events = remove_events

In transforms.conf do this:

[remove_events]
REGEX = *
DEST_KEY = queue
FORMAT = nullQueue

jawaharas · ‎12-30-2018

Thank you.

However below configuration line errored out.
[remove_events]
REGEX = *

By modifying as below, it works.
[remove_events]
REGEX = (?s).*

skoelpin · ‎07-29-2015

I just looked at the 3 hosts which have the WinEventLog:Application and these are being indexed in index=main while my legitimate events are being indexed in the index I specified in the inputs.conf file.. So maybe this would explain why I can't find it.. But why is data being indexed if I didn't specify the source or sourcetype in the inputs.conf?

woodcock · ‎07-29-2015

Depending on your OS and the package that you download, Splunk is preconfigured to send some things in by default. Most of the time, this is what people desire so it makes sense.

skoelpin · ‎07-29-2015

Should I do this on the Indexer or forwarder?

woodcock · ‎07-29-2015

On the indexers and then restart Splunk services.

somesoni2 · ‎07-29-2015

Find the inputs.conf file on the forwarder which defines the data input (what data is monitored and where its stored). It could be in Splunk_Home/etc/system/local OR Splunk_Home/etc/apps/SomeAppName/local OR / Splunk_Home/etc/apps/SomeAppName/default. Once found look for the sourcetype name and disable/remove the data input which is using that sourcetype. Restart the forwarder once done.

skoelpin · ‎07-29-2015

Yeah I have that pulled open and the sourcetype is already defined as sourcetype=ATG_Message_Log.. I see nothing on any of the boxes which show the source or sourcetype as WinEventLog:Application

How to exclude a sourcetype from being indexed?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk