Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Restriking indexed items
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Restriking indexed items
I have a question on how to restrict what goes into an index.
I have read a number of posts and documentation on how this should work.
In my case I have tried a number of permutations of the props.conf and transforms.conf with no success.
I oneshot the logs in and all the items in the log goes into the index. Here are my props.conf and transforms.conf. Any help would be great.
Thanks
V 1
props.conf
[1033NCL11O]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\n])
KV_MODE=none
SEGMENTATION-all = inner
TRANSFORMS-set = setnullO
TRANSFORMS-set = setparsingO
TRANSFORMS-servicename = extract-webdata-sernmO
transforms.conf
[setnullO]
REGEX = (INFO|DEBUG)
SOURCE_KEY = queue
FORMAT = nullQueue
[setparsingO]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
V 2
props.conf
[1033NCL11O]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\n])
KV_MODE=none
SEGMENTATION-all = inner
TRANSFORMS-set = setparsingO
TRANSFORMS-set = setnullO
TRANSFORMS-servicename = extract-webdata-sernmO
transforms.conf
[setnullO]
REGEX = .
SOURCE_KEY = queue
FORMAT = nullQueue
[setparsingO]
REGEX = (TEST|ERROR|WARN|ABT|DEBUG2)
DEST_KEY = queue
FORMAT = indexQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So what you are saying is that the issue is with the spaces around the equals.
DEST_KEY = queue should be DEST_KEY=queue
Does the spaces around the equals make a difference? If so why?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So what you are saying is that the issue is with the spaces around the equals.
DEST_KEY = queue should be DEST_KEY=queue
Does the spaces around the equals make a difference? If so why?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not simply
props.conf
[1033NCL11O]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\n])
KV_MODE=none
SEGMENTATION-all = inner
TRANSFORMS-set = setnullO
TRANSFORMS-servicename = extract-webdata-sernmO
transforms.conf
[setnullO]
REGEX = (INFO|DEBUG)
DEST_KEY = queue
FORMAT = nullQueue
And the real problem is that it should be DEST_KEY=queue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No the real problem is that you used SOURCE_KEY = queue instead of DEST_KEY = queue in the setnull0 transform...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So what you are saying is that the issue is with the spaces around the equals.
DEST_KEY = queue should be DEST_KEY=queue
Does spaces around the equals make a difference? If so why?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Data Management Digest – May 2026
