- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Is there a way to blacklist specific event for...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to blacklist specific event for specific index
I know we can easily blacklist specific event using regex in props.conf and transforms.conf . But I have 4 different indexes and I want to blacklists specific events from one index, or maybe I want to whitelist specific event for 1 index. is it possible?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Jeanies, I though stanza only works for a source. I never tried it with index. I will try it and close it if it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, you are looking to "route unwanted events to the nullqueue".
Basically, you will create a regex that identifies the events you want to blacklist, put somestanza name in props.conf for that index or source, then in transforms.conf under that somestanza you will have
[somestanza]
SOURCE_KEY = whateverfieldIwanttofindtehmatchin
REGEX = mymatchregex
DEST_KEY = queue
FORMAT = nullQueue
Here are some examples -
https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
didn't work for me. I bet I am doing something wrong. Here is my configuration file.
props.conf
[source::*.*]
index=new-index
TRANSFORMS-set= setnull
transforms.conf
[setnull]
REGEX = .*\s+Debug\s+.*
DEST_KEY = queue
FORMAT = nullQueue
I am trying to blacklist all debug events. For example:
11 Oct 2017 09:05:39 n/a - client exception Debug Authentication error
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your [setnull] stanza looks okay, like it would work technically, but you will probably have a catastrophic backtracking error on any event that does NOT have Debug in it. Basically, it would use the first . to slurp up all the characters until it got to the end, and then back up to the first space, then look for Debug again, then back up again, and so on. because each thing that qualifies for \s ALSO qualifies for '.', it can fail to match many many different ways.
You should take advantage of the fact that the REGEX is not anchored, so you are just looking for a space, then the word Debug, then a space.
[setnull]
REGEX = \sDebug\s
DEST_KEY = queue
FORMAT = nullQueue
If you want to route to a different index, there is a different syntax for that. It would look something like this, and should be in a stanza of its own.
[stanzaname]
REGEX (.)
DEST_KEY = _MetaData:Index
FORMAT = newindexname
https://answers.splunk.com/answers/478659/how-to-route-to-an-index-based-on-sourcetype-and-h.html
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
