Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to exclude string from being indexed?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mmsbswe
Engager
06-25-2019
06:45 AM
Hello community,
i want to configure the splunk forwarder to exclude one specific string from being indexed to the splunk index.
In my case i want to exclude all lines like this from being transferred to the indexer:
*[25-Jun-2019 15:31:29 Europe/Berlin] PHP Deprecated: The "checkDataSubmission" hook will be removed...*
These are my config files:
File: **/opt/splunkforwarder/etc/system/local/inputs.conf**
...
[monitor:///var/log/docker/php-fpm/error.log]
sourcetype=php:fpm:error
crcSalt=
index=php
File: **/opt/splunkforwarder/etc/system/local/props.conf**
[source::/var/log/docker/php-fpm/error.log]
TRANSFORMS-null= setnull
File: **/opt/splunkforwarder/etc/system/local/transforms.conf **
[setnull]
REGEX = .*PHP Deprecated.*
DEST_KEY = queue
FORMAT = nullQueue
I've done the following steps to debug this by myself:
executed:
- *./splunk cmd btool props list --debug*
- *./splunk cmd btool transforms list --debug*
To check if my configuration files was loaded when restarting the splunk service. All my configured lines are displayed by this.
Also i've restarted the splunk forwarder after editing the config.
Every help will be appreciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amitm05
Builder
06-25-2019
09:09 AM
@mmsbswe
Looks like you are trying to do this on the Univ forwarder itself. These would not apply on UF.
You'd require to take these settings of props.conf and transforms.conf onto your indexer.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amitm05
Builder
06-25-2019
09:09 AM
@mmsbswe
Looks like you are trying to do this on the Univ forwarder itself. These would not apply on UF.
You'd require to take these settings of props.conf and transforms.conf onto your indexer.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amitm05
Builder
06-26-2019
01:02 PM
Have you tried this? Let us know.
You can also mention if you have already sorted this out OR Accept this one if it worked. It'll help others. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mmsbswe
Engager
06-27-2019
07:04 AM
Thanks for your reply.
Correct, i do this on the universial forwarder. It seems that i have to try it on our indexer.
Edit: Now it works :-).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amitm05
Builder
06-27-2019
10:30 AM
Glad that it worked out. Cheers !
Get Updates on the Splunk Community!
Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions
Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...
Index This | How do you write 23 only using the number 2?
July 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
Splunk ITSI & Correlated Network Visibility
Now On Demand
Take Your Network Visibility to the Next Level
In today’s complex IT environments, ...
