- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Where do I exclude data from input?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm sorry in advance for the really basic question but Splunk is all new to me and I couldn't find exactly what I want in the documentation.
I have a server class (_server_app_PIA_App_Servers) that has an input to read logs from a specific application log directory (Peopletools Application Servers in this case). The logs have a lot of unimportant and repeating data and I don't want to index, mainly just things such as "checking for processes" that repeats every 5 seconds. I want to exclude this data from the index so it's not taking up unnecessary space and I'm pretty sure I need to add a props.conf and transforms.conf to do this (sending those lines to null with a transform) however I don't know WHERE to do it - do I put these in the Universal Forwarder /etc/apps/ directory for these specific servers, or do I put them on the Indexer in the DeployedApps directory and redeploy the app?
Or somewhere else??
Thanks!
Grahame
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI,
this is set on the indexer. Depending if you have a cluster set it in /master-apps and apply a new bundle, or if standalone set it in an app/local or in system/local / or deploy it with deployment server in /deployment-apps
Like this:
props.conf
[sourcetype]
TRANSFORMS-<name>=<name_in_transforms>
transforms.conf
[<name_in_transforms>]
REGEX=""
DEST_KEY=queue
FORMAT=nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI,
this is set on the indexer. Depending if you have a cluster set it in /master-apps and apply a new bundle, or if standalone set it in an app/local or in system/local / or deploy it with deployment server in /deployment-apps
Like this:
props.conf
[sourcetype]
TRANSFORMS-<name>=<name_in_transforms>
transforms.conf
[<name_in_transforms>]
REGEX=""
DEST_KEY=queue
FORMAT=nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect, thanks! It's not a cluster, but since this app is not installed on the indexer (it's not in etc/apps/, only in etc/deployed-apps) I'll throw the files in system/local.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no directory called etc/deployed-apps, only deployment-apps. Deployed apps from a deployment server are deployed to /etc/apps on the client 🙂 have this in mind please 🙂
you can also just create an app in /etc/apps/ on the indexer to contain the props and transforms in
> /etc/apps/<app_name>/local
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi sov_gwright,
parsing phase is on Indexers or on Heavy Forwarders.
Follow documentation at https://docs.splunk.com/Documentation/Splunk/7.2.1/Forwarding/Routeandfilterdatad to filer your events.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I had looked at that but the section on filtering data to null is not explicit on where to put the props and transforms files.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
