I know we can easily blacklist specific event using regex in props.conf and transforms.conf . But I have 4 different indexes and I want to blacklists specific events from one index, or maybe I want to whitelist specific event for 1 index. is it possible?
Thanks Jeanies, I though stanza only works for a source. I never tried it with index. I will try it and close it if it works.
Yes, you are looking to "route unwanted events to the nullqueue".
Basically, you will create a regex that identifies the events you want to blacklist, put somestanza
name in props.conf for that index or source, then in transforms.conf under that somestanza
you will have
[somestanza]
SOURCE_KEY = whateverfieldIwanttofindtehmatchin
REGEX = mymatchregex
DEST_KEY = queue
FORMAT = nullQueue
Here are some examples -
https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html
didn't work for me. I bet I am doing something wrong. Here is my configuration file.
props.conf
[source::*.*]
index=new-index
TRANSFORMS-set= setnull
transforms.conf
[setnull]
REGEX = .*\s+Debug\s+.*
DEST_KEY = queue
FORMAT = nullQueue
I am trying to blacklist all debug events. For example:
11 Oct 2017 09:05:39 n/a - client exception Debug Authentication error
Your [setnull]
stanza looks okay, like it would work technically, but you will probably have a catastrophic backtracking error on any event that does NOT have Debug in it. Basically, it would use the first .
to slurp up all the characters until it got to the end, and then back up to the first space, then look for Debug again, then back up again, and so on. because each thing that qualifies for \s
ALSO qualifies for '.', it can fail to match many many different ways.
You should take advantage of the fact that the REGEX is not anchored, so you are just looking for a space, then the word Debug, then a space.
[setnull]
REGEX = \sDebug\s
DEST_KEY = queue
FORMAT = nullQueue
If you want to route to a different index, there is a different syntax for that. It would look something like this, and should be in a stanza of its own.
[stanzaname]
REGEX (.)
DEST_KEY = _MetaData:Index
FORMAT = newindexname
https://answers.splunk.com/answers/478659/how-to-route-to-an-index-based-on-sourcetype-and-h.html