Try this
props.conf: (you can replace sourcetype with syslog)
[syslog]
TRANSFORMS-switch = switchFilter
transforms.conf:
[switchFilter]
REGEX = 10.xx.xx.xx
DEST_KEY = queue
FORMAT = nullQueue
Make sure you reload the splunk (https://:8000/debug/refresh) or restart the splunk service after applying the props and tranforms.
Thanks,
Sp
hope it won't stop entire logs for the particular device, as the intention is not to stop the entire logs but just a specify log from the device.
Never mind. I thought you are trying to stop all the events from particular device. the above configuration i gave is to stop all the events.
shaskell is already gave what you need but to discard specific events and keep the rest:
props:
[host::10.xx.xx.xx]
TRANSFORMS-null= setnull
transforms:
[setnull]
REGEX = string you need to discard
DEST_KEY = queue
FORMAT = nullQueue
Can you clarify how the data is getting into Splunk? Is it coming directly from the switch via Syslog or from a Syslog aggregation point using the Universal Forwarder?
If there's no way to disable the logging directly at the source and you just don't want the data indexed than you can configure Splunk to send the data to the null queue for that source IP address of the device. You do need to validate the IP address is the actual hostname from a Splunk search and if it's not, update the host stanza to the correct hostname for the device.
It's going to be a combination of props and transforms on your indexer(s).
props.conf
[host::10.xx.xx.xx] TRANSFORMS-null = setnull
transforms.conf
[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue
i tried but it didn't work 😞
We have pointed the syslog as splunk server.there is no universal forwarder. So if an user login in to the switch i don't want that log should be capture on splunk.
@vineeth10 You may want to take a look at this: http://www.georgestarcher.com/splunk-success-with-syslog/
Try the method I've suggested to drop any events coming from that device from being indexed. The key is to make sure you have the correct hostname in the props.conf stanza.