Solved: Re: Trouble ignoring events - Page 2

_smp_ · ‎07-05-2016

I'm having some difficulty forcing Splunk to ignore events which start with a '#' character. The file is compressed, but the events appear to be indexing OK. Here are my props and transforms - is there anything obviously wrong here?

[source::/logs/proxy/SG_proxyna_SIEM__1920629171951.log.gz.processed]
NO_BINARY_CHECK = true
invalid_cause = archive
unarchive_cmd = gunzip -c -f -S .processed
TRANSFORMS-comments = setNull
TRUNCATE = 20000
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 19

-
[setNull]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue

maciep · ‎07-05-2016

At a glance, I think everything looks ok. Do you have the props and transforms on the parsing layer of your environment, typically an indexer?

View solution in original post

MuS · ‎07-05-2016

or a Heavy weight forwarder - don't forget to restart the Splunk instance after you added the config files.

Trouble ignoring events

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation