I have a forwarder on 3 different servers which grabs all the data coming from those servers. There is 1 specific sourcetype and source both called 'WinEventLog:Application' which we do not want indexed.
Where in the forwarder do I exclude this source/sourcetype from being indexed?
The answer by @somesoni2 should work and is the proper way to do it because it stops the forwarders from doing work that is not necessary which this alternate solution does not do. The solution below will have the forwarders send the data in and then the indexers will trash all events for the undesirable sourcetype:
In props.conf
do this:
[WinEventLog:Application]
TRANSFORMS-remove_events = remove_events
In transforms.conf
do this:
[remove_events]
REGEX = *
DEST_KEY = queue
FORMAT = nullQueue
The answer by @somesoni2 should work and is the proper way to do it because it stops the forwarders from doing work that is not necessary which this alternate solution does not do. The solution below will have the forwarders send the data in and then the indexers will trash all events for the undesirable sourcetype:
In props.conf
do this:
[WinEventLog:Application]
TRANSFORMS-remove_events = remove_events
In transforms.conf
do this:
[remove_events]
REGEX = *
DEST_KEY = queue
FORMAT = nullQueue
Thank you.
However below configuration line errored out.
[remove_events]
REGEX = *
By modifying as below, it works.
[remove_events]
REGEX = (?s).*
I just looked at the 3 hosts which have the WinEventLog:Application
and these are being indexed in index=main
while my legitimate events are being indexed in the index I specified in the inputs.conf file.. So maybe this would explain why I can't find it.. But why is data being indexed if I didn't specify the source or sourcetype in the inputs.conf?
Depending on your OS and the package that you download, Splunk is preconfigured to send some things in by default. Most of the time, this is what people desire so it makes sense.
Should I do this on the Indexer or forwarder?
On the indexers and then restart Splunk services.
Find the inputs.conf file on the forwarder which defines the data input (what data is monitored and where its stored). It could be in Splunk_Home/etc/system/local
OR Splunk_Home/etc/apps/SomeAppName/local
OR / Splunk_Home/etc/apps/SomeAppName/default
. Once found look for the sourcetype name and disable/remove the data input which is using that sourcetype. Restart the forwarder once done.
Yeah I have that pulled open and the sourcetype is already defined as sourcetype=ATG_Message_Log
.. I see nothing on any of the boxes which show the source or sourcetype as WinEventLog:Application