Getting Data In

Need to omit events with specific strings (info or debug) in them.

Path Finder

I am trying to prevent debug and info events from getting logged into splunk. I created an inputs.conf and used blacklist statement to blacklist these events, but it didn't help.
I wrote below stanza in inputs.conf using regex, but no luck.

blacklist = .:\s+[(debug|\sinfo)|.

Can i directly do blacklisting in inputs.conf using the below statements?
blacklist1 = debug
blacklist2 = info
If not how can I do it? Is the only option left is using props.conf and transforms.conf and sending these events to nullqueue?
Please help!

0 Karma

Super Champion


I think you are looking for something related to this:

1) Edit props.conf and add the following:

TRANSFORMS-set= setnull,setparsing

2)Edit transforms.conf and add the following:

DEST_KEY = queue
FORMAT = nullQueue

REGEX = info|debug
DEST_KEY = queue
FORMAT = indexQueue

3) Restart Splunk Enterprise.

let me know if this helps!

0 Karma

Path Finder

Hey mayurr98,

The configuration you provided is to index info and debug logs and omit everything else. we want it to be other way.

Below are the sample events:
Jun XX 10:02:27 3r79-c05-04 hostname : [debug|file|0 ||xcp-rrdd-xenpm] Process 1234 exited normally with XX
Jun XX 10:02:27 3r79-c05-04 hostname : [debug|file|0 ||xcp-rrdd-xenpm] Forking command XXXXXXXX
Jun XX 11:02:59 3r79-c05-04 hostname: [ info|3R79-C05-04|243325 INET :::43|session.logout 23XXXX|xapi] SessionXXXX XXXXXX

The configuration I wrote :


TRANSFORMS-remove = remove


REGEX = (^\w+\s+\d+\s+\d+:\d+:\d+\s(3r79-c05-04)\s+[a-zA-z-:]+\s[(debug|\sinfo)
DEST_KEY = queue
FORMAT = nullQueue

it is not working.

Anyone please advise.

0 Karma

Ultra Champion

You need to escape that [ before the debug|info part. Check with or similar regex tool if your regex matches.

0 Karma

Ultra Champion

What type of input are we talking about? For things like file monitor, the blacklist and whitelist apply to the file path, not the event content. For WinEventLog you could use blacklist and whitelist with regular expressions to filter based on event content.

So depending on what type of input you have, you may indeed need to resort to using props and transforms to send the unwanted events to the nullqueue.

For details you can check the relevant section of the inputs.conf spec, to see how blacklist can be used for that type of input.

0 Karma
Get Updates on the Splunk Community!

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...