Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to exclude string from being indexed?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello community,
i want to configure the splunk forwarder to exclude one specific string from being indexed to the splunk index.
In my case i want to exclude all lines like this from being transferred to the indexer:
*[25-Jun-2019 15:31:29 Europe/Berlin] PHP Deprecated: The "checkDataSubmission" hook will be removed...*
These are my config files:
File: **/opt/splunkforwarder/etc/system/local/inputs.conf**
...
[monitor:///var/log/docker/php-fpm/error.log]
sourcetype=php:fpm:error
crcSalt=
index=php
File: **/opt/splunkforwarder/etc/system/local/props.conf**
[source::/var/log/docker/php-fpm/error.log]
TRANSFORMS-null= setnull
File: **/opt/splunkforwarder/etc/system/local/transforms.conf **
[setnull]
REGEX = .*PHP Deprecated.*
DEST_KEY = queue
FORMAT = nullQueue
I've done the following steps to debug this by myself:
executed:
- *./splunk cmd btool props list --debug*
- *./splunk cmd btool transforms list --debug*
To check if my configuration files was loaded when restarting the splunk service. All my configured lines are displayed by this.
Also i've restarted the splunk forwarder after editing the config.
Every help will be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mmsbswe
Looks like you are trying to do this on the Univ forwarder itself. These would not apply on UF.
You'd require to take these settings of props.conf and transforms.conf onto your indexer.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@mmsbswe
Looks like you are trying to do this on the Univ forwarder itself. These would not apply on UF.
You'd require to take these settings of props.conf and transforms.conf onto your indexer.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried this? Let us know.
You can also mention if you have already sorted this out OR Accept this one if it worked. It'll help others. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply.
Correct, i do this on the universial forwarder. It seems that i have to try it on our indexer.
Edit: Now it works :-).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad that it worked out. Cheers !
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
