Getting Data In
Highlighted

On a syslog light fowarder, how to ignore certain junk folders

Path Finder

So I have a syslog fowarder with splunk light fowarder installed.
I have a /var/syslog/* monitor statement, and also some custom ones where needed /var/syslog/servername1/* index=test etc...

I have noticed that some users send in some real crappy data(example %hostgoeshere+timestamp) Without removing my catch all monitor statement and having a never ending task of adding new hosts.
Is there a way with the monitor statement to send this data to the null queue?
Something like

[monitor:///var/syslog/%hostgoeshere*/*.log]
index=null

Don't see the notes anyway without having to use transforms etc... but I think this must be easier.

0 Karma
Highlighted

Re: On a syslog light fowarder, how to ignore certain junk folders

SplunkTrust
SplunkTrust
Highlighted

Re: On a syslog light fowarder, how to ignore certain junk folders

Path Finder

Interesting so adding something like blacklist = %hostgoeshere. would filter out all this junk?

0 Karma
Highlighted

Re: On a syslog light fowarder, how to ignore certain junk folders

SplunkTrust
SplunkTrust

Yup, a file will be ignored if its path matches the regex specified in a blacklist attribute. There's more info here: http://docs.splunk.com/Documentation/Splunk/6.0.2/Data/Whitelistorblacklistspecificincomingdata