Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to blacklist specific event for specific index

ss026381
Communicator
‎10-06-2017 12:59 PM

I know we can easily blacklist specific event using regex in props.conf and transforms.conf . But I have 4 different indexes and I want to blacklists specific events from one index, or maybe I want to whitelist specific event for 1 index. is it possible?

0 Karma
Reply

ss026381
Communicator
‎10-06-2017 01:49 PM

Thanks Jeanies, I though stanza only works for a source. I never tried it with index. I will try it and close it if it works.

0 Karma
Reply

DalJeanis
Legend
‎10-06-2017 01:36 PM

Yes, you are looking to "route unwanted events to the nullqueue".

Basically, you will create a regex that identifies the events you want to blacklist, put somestanza name in props.conf for that index or source, then in transforms.conf under that somestanza you will have 

 [somestanza]
 SOURCE_KEY = whateverfieldIwanttofindtehmatchin
 REGEX = mymatchregex
 DEST_KEY = queue
 FORMAT = nullQueue

Here are some examples -

https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html

Reply

ss026381
Communicator
‎10-11-2017 07:25 AM

didn't work for me. I bet I am doing something wrong. Here is my configuration file.

props.conf 

[source::*.*]
index=new-index 
TRANSFORMS-set= setnull

transforms.conf 

[setnull]
REGEX = .*\s+Debug\s+.*
DEST_KEY = queue
FORMAT = nullQueue

I am trying to blacklist all debug events. For example:

 11 Oct 2017 09:05:39  n/a -  client   exception  Debug  Authentication error
0 Karma
Reply

DalJeanis
Legend
‎04-09-2018 09:18 PM

Your [setnull] stanza looks okay, like it would work technically, but you will probably have a catastrophic backtracking error on any event that does NOT have Debug in it. Basically, it would use the first . to slurp up all the characters until it got to the end, and then back up to the first space, then look for Debug again, then back up again, and so on. because each thing that qualifies for \s ALSO qualifies for '.', it can fail to match many many different ways.

You should take advantage of the fact that the REGEX is not anchored, so you are just looking for a space, then the word Debug, then a space. 

[setnull]
REGEX = \sDebug\s
DEST_KEY = queue
FORMAT = nullQueue

If you want to route to a different index, there is a different syntax for that. It would look something like this, and should be in a stanza of its own.

[stanzaname]
REGEX (.)
DEST_KEY = _MetaData:Index
FORMAT = newindexname

https://answers.splunk.com/answers/478659/how-to-route-to-an-index-based-on-sourcetype-and-h.html

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...