Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to prevent the indexing of particular error. Is it possible to filter by Message?

cmahan
Path Finder
‎08-28-2015 01:59 PM

I can't quite find a way to block this particular event from being indexed. Blacklisting doesn't seem to be an option and the transforms regex method is just a little over my head in this scenario.. here is the event below. This one event generates over a million events a week and is killing my license. I need to block it until the issue is resolved and it is taking a while to nail it down.

LogName=Application
SourceName=SlxSearchTrigger
EventCode=4
EventType=2
Type=Error
ComputerName=Example-SLX
TaskCategory=None
OpCode=None
RecordNumber=237604
Keywords=Classic
Message=Execute Method: Recordset not returned from Trigger_Params
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-30-2015 11:20 AM

If what you listed is the raw log text (not field names with values) then you can do something like this on your Indexers:

props.conf

[PutYourSourcetypeHere]
TRANSFORMS-license_killers = recordset_not_returned

###transforms.conf

[recordset_not_returned]
REGEX = (?m)^Message=Execute Method: Recordset not returned from Trigger_Params$
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-30-2015 11:20 AM

If what you listed is the raw log text (not field names with values) then you can do something like this on your Indexers:

props.conf

[PutYourSourcetypeHere]
TRANSFORMS-license_killers = recordset_not_returned

###transforms.conf

[recordset_not_returned]
REGEX = (?m)^Message=Execute Method: Recordset not returned from Trigger_Params$
DEST_KEY = queue
FORMAT = nullQueue
Reply
Solved! Jump to solution

cmahan
Path Finder
‎08-31-2015 12:32 PM

Thanks!. I'll give it a shot today.

0 Karma
Reply
Solved! Jump to solution

cmahan
Path Finder
‎09-04-2015 06:14 AM

Once I finally realized this was for the indexer, not the forwarders, I got it working. Thanks! I had been thinking we had to prevent the data from even going to the indexer. This seems to be doing the trick, as I have stopped the events from showing up in search - and also it appears the license consumption has gone down some.. not as much as expected, but it is better!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...