Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to ignore some data from getting indexed?

dbcase
Motivator
‎02-10-2017 11:23 AM

Hi,

I have this data that I'd like to index

000d6f0004349d51.1: 
    Label: Front Door
    Manufacturer: SAMSUNG SDS
    Model: SHN-WDD510
    Firmware version: 0x00000005
    Hardware version: 1
    User Properties:
        NearEndRssi: -54
        NearEndLqi: 255
        batteryLow: false
        label: Front Door
        deadboltJammed: false
    Battery Operated: True
    Voltage: 6.0V
    FE radio: -57/255
    NE radio: -54/255
    Date added: Fri Dec 12 20:08:30 CST 2014
    Date of last communication: Fri Feb 10 12:45:59 CST 2017
    In Communication Failure: false
    In firmware upgrade failure: false
    Firmware upgrade available: false
    Is Locked: true
    Max Users: 100
    Operation Mode: normal

Success.
Exiting
Opened at /java/lib/normal.dat
Opened at /java/lib/native.dat

I'd like to ignore 

Success.
    Exiting
    Opened at /java/lib/normal.dat
    Opened at /java/lib/native.dat

How would I go about doing that?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎02-10-2017 01:34 PM

You should use SEDCMD in your props.conf

This is not tested, but should work (Try it in your Dev environment before applying in production)

[YourSourceType]
SEDCMD-strip-msg = s/Success\.\n\sExiting\n\sOpened\sat\s\/java.+\n\sOpened\sat.+//g

Don't forget to restart the Splunk service after making these changes to props.conf

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎02-10-2017 01:34 PM

You should use SEDCMD in your props.conf

This is not tested, but should work (Try it in your Dev environment before applying in production)

[YourSourceType]
SEDCMD-strip-msg = s/Success\.\n\sExiting\n\sOpened\sat\s\/java.+\n\sOpened\sat.+//g

Don't forget to restart the Splunk service after making these changes to props.conf

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎02-10-2017 01:44 PM

I updated the answer to give a safer regular expression

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎02-15-2017 12:45 PM

@dbcase.. Did this solve your question? If so then please accept the answer

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎02-10-2017 12:04 PM

FYI the data that I hope to ignore will ALWAYS be:

Success.
     Exiting
     Opened at /java/lib/normal.dat
     Opened at /java/lib/native.dat
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...