- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Need to omit events with specific strings (inf...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need to omit events with specific strings (info or debug) in them.
I am trying to prevent debug and info events from getting logged into splunk. I created an inputs.conf and used blacklist statement to blacklist these events, but it didn't help.
I wrote below stanza in inputs.conf using regex, but no luck.
blacklist = .:\s+[(debug|\sinfo)|.
Can i directly do blacklisting in inputs.conf using the below statements?
blacklist1 = debug
blacklist2 = info
If not how can I do it? Is the only option left is using props.conf and transforms.conf and sending these events to nullqueue?
Please help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I think you are looking for something related to this:
http://docs.splunk.com/Documentation/Splunk/7.1.1/Forwarding/Routeandfilterdatad#Discard_specific_ev...
1) Edit props.conf and add the following:
[<your_sourcetype>]
TRANSFORMS-set= setnull,setparsing
2)Edit transforms.conf and add the following:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = info|debug
DEST_KEY = queue
FORMAT = indexQueue
3) Restart Splunk Enterprise.
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey mayurr98,
The configuration you provided is to index info and debug logs and omit everything else. we want it to be other way.
Below are the sample events:
Jun XX 10:02:27 3r79-c05-04 hostname : [debug|file|0 ||xcp-rrdd-xenpm] Process 1234 exited normally with XX
Jun XX 10:02:27 3r79-c05-04 hostname : [debug|file|0 ||xcp-rrdd-xenpm] Forking command XXXXXXXX
Jun XX 11:02:59 3r79-c05-04 hostname: [ info|3R79-C05-04|243325 INET :::43|session.logout 23XXXX|xapi] SessionXXXX XXXXXX
The configuration I wrote :
props.conf,
TRANSFORMS-remove = remove
transforms.conf,
[remove]
REGEX = (^\w+\s+\d+\s+\d+:\d+:\d+\s(3r79-c05-04)\s+[a-zA-z-:]+\s[(debug|\sinfo)
DEST_KEY = queue
FORMAT = nullQueue
it is not working.
Anyone please advise.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to escape that [ before the debug|info part. Check with regex101.com or similar regex tool if your regex matches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What type of input are we talking about? For things like file monitor, the blacklist and whitelist apply to the file path, not the event content. For WinEventLog you could use blacklist and whitelist with regular expressions to filter based on event content.
So depending on what type of input you have, you may indeed need to resort to using props and transforms to send the unwanted events to the nullqueue.
For details you can check the relevant section of the inputs.conf spec, to see how blacklist can be used for that type of input.
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
