Getting Data In

Where do I exclude data from input?

sov_gwright
New Member

Hi,

I'm sorry in advance for the really basic question but Splunk is all new to me and I couldn't find exactly what I want in the documentation.

I have a server class (_server_app_PIA_App_Servers) that has an input to read logs from a specific application log directory (Peopletools Application Servers in this case). The logs have a lot of unimportant and repeating data and I don't want to index, mainly just things such as "checking for processes" that repeats every 5 seconds. I want to exclude this data from the index so it's not taking up unnecessary space and I'm pretty sure I need to add a props.conf and transforms.conf to do this (sending those lines to null with a transform) however I don't know WHERE to do it - do I put these in the Universal Forwarder /etc/apps/ directory for these specific servers, or do I put them on the Indexer in the DeployedApps directory and redeploy the app?

Or somewhere else??

Thanks!

Grahame

0 Karma
1 Solution

dkeck
Influencer

HI,

this is set on the indexer. Depending if you have a cluster set it in /master-apps and apply a new bundle, or if standalone set it in an app/local or in system/local / or deploy it with deployment server in /deployment-apps

Like this:

props.conf

  [sourcetype]

     TRANSFORMS-<name>=<name_in_transforms>





transforms.conf

     [<name_in_transforms>]

    REGEX=""


     DEST_KEY=queue

     FORMAT=nullQueue

View solution in original post

0 Karma

dkeck
Influencer

HI,

this is set on the indexer. Depending if you have a cluster set it in /master-apps and apply a new bundle, or if standalone set it in an app/local or in system/local / or deploy it with deployment server in /deployment-apps

Like this:

props.conf

  [sourcetype]

     TRANSFORMS-<name>=<name_in_transforms>





transforms.conf

     [<name_in_transforms>]

    REGEX=""


     DEST_KEY=queue

     FORMAT=nullQueue
0 Karma

sov_gwright
New Member

Perfect, thanks! It's not a cluster, but since this app is not installed on the indexer (it's not in etc/apps/, only in etc/deployed-apps) I'll throw the files in system/local.

0 Karma

dkeck
Influencer

There is no directory called etc/deployed-apps, only deployment-apps. Deployed apps from a deployment server are deployed to /etc/apps on the client 🙂 have this in mind please 🙂

you can also just create an app in /etc/apps/ on the indexer to contain the props and transforms in

> /etc/apps/<app_name>/local
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi sov_gwright,
parsing phase is on Indexers or on Heavy Forwarders.
Follow documentation at https://docs.splunk.com/Documentation/Splunk/7.2.1/Forwarding/Routeandfilterdatad to filer your events.

Bye.
Giuseppe

0 Karma

sov_gwright
New Member

Thanks, I had looked at that but the section on filtering data to null is not explicit on where to put the props and transforms files.

0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...