Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to exclude string from being indexed?

mmsbswe
Engager
‎06-25-2019 06:45 AM

Hello community,

i want to configure the splunk forwarder to exclude one specific string from being indexed to the splunk index.

In my case i want to exclude all lines like this from being transferred to the indexer:

*[25-Jun-2019 15:31:29 Europe/Berlin] PHP Deprecated:  The "checkDataSubmission" hook will be removed...*

These are my config files:

File: **/opt/splunkforwarder/etc/system/local/inputs.conf**

...
[monitor:///var/log/docker/php-fpm/error.log]
sourcetype=php:fpm:error
crcSalt=
index=php


File: **/opt/splunkforwarder/etc/system/local/props.conf**

[source::/var/log/docker/php-fpm/error.log]
TRANSFORMS-null= setnull


File: **/opt/splunkforwarder/etc/system/local/transforms.conf **

[setnull]
REGEX = .*PHP Deprecated.*
DEST_KEY = queue
FORMAT = nullQueue

I've done the following steps to debug this by myself:
executed:

- *./splunk cmd btool props list --debug*
- *./splunk cmd btool transforms list --debug*

To check if my configuration files was loaded when restarting the splunk service. All my configured lines are displayed by this.

Also i've restarted the splunk forwarder after editing the config.

Every help will be appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

amitm05
Builder
‎06-25-2019 09:09 AM

@mmsbswe
Looks like you are trying to do this on the Univ forwarder itself. These would not apply on UF.
You'd require to take these settings of props.conf and transforms.conf onto your indexer.

Thanks!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

amitm05
Builder
‎06-25-2019 09:09 AM

@mmsbswe
Looks like you are trying to do this on the Univ forwarder itself. These would not apply on UF.
You'd require to take these settings of props.conf and transforms.conf onto your indexer.

Thanks!

0 Karma
Reply
Solved! Jump to solution

amitm05
Builder
‎06-26-2019 01:02 PM

Have you tried this? Let us know.
You can also mention if you have already sorted this out OR Accept this one if it worked. It'll help others. Thanks

0 Karma
Reply
Solved! Jump to solution

mmsbswe
Engager
‎06-27-2019 07:04 AM

Thanks for your reply.

Correct, i do this on the universial forwarder. It seems that i have to try it on our indexer.

Edit: Now it works :-).

0 Karma
Reply
Solved! Jump to solution

amitm05
Builder
‎06-27-2019 10:30 AM

Glad that it worked out. Cheers !

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...