Solved: Re: Where do I exclude data from input?

sov_gwright · ‎12-18-2018

Hi,

I'm sorry in advance for the really basic question but Splunk is all new to me and I couldn't find exactly what I want in the documentation.

I have a server class (_server_app_PIA_App_Servers) that has an input to read logs from a specific application log directory (Peopletools Application Servers in this case). The logs have a lot of unimportant and repeating data and I don't want to index, mainly just things such as "checking for processes" that repeats every 5 seconds. I want to exclude this data from the index so it's not taking up unnecessary space and I'm pretty sure I need to add a props.conf and transforms.conf to do this (sending those lines to null with a transform) however I don't know WHERE to do it - do I put these in the Universal Forwarder /etc/apps/ directory for these specific servers, or do I put them on the Indexer in the DeployedApps directory and redeploy the app?

Or somewhere else??

Thanks!

Grahame

dkeck · ‎12-18-2018

HI,

this is set on the indexer. Depending if you have a cluster set it in /master-apps and apply a new bundle, or if standalone set it in an app/local or in system/local / or deploy it with deployment server in /deployment-apps

Like this:

props.conf

  [sourcetype]

     TRANSFORMS-<name>=<name_in_transforms>





transforms.conf

     [<name_in_transforms>]

    REGEX=""


     DEST_KEY=queue

     FORMAT=nullQueue

View solution in original post

dkeck · ‎12-18-2018

HI,

this is set on the indexer. Depending if you have a cluster set it in /master-apps and apply a new bundle, or if standalone set it in an app/local or in system/local / or deploy it with deployment server in /deployment-apps

Like this:

props.conf

  [sourcetype]

     TRANSFORMS-<name>=<name_in_transforms>





transforms.conf

     [<name_in_transforms>]

    REGEX=""


     DEST_KEY=queue

     FORMAT=nullQueue

sov_gwright · ‎12-18-2018

Perfect, thanks! It's not a cluster, but since this app is not installed on the indexer (it's not in etc/apps/, only in etc/deployed-apps) I'll throw the files in system/local.

dkeck · ‎12-18-2018

There is no directory called etc/deployed-apps, only deployment-apps. Deployed apps from a deployment server are deployed to /etc/apps on the client 🙂 have this in mind please 🙂

you can also just create an app in /etc/apps/ on the indexer to contain the props and transforms in

> /etc/apps/<app_name>/local

gcusello · ‎12-18-2018

Hi sov_gwright,
parsing phase is on Indexers or on Heavy Forwarders.
Follow documentation at https://docs.splunk.com/Documentation/Splunk/7.2.1/Forwarding/Routeandfilterdatad to filer your events.

Bye.
Giuseppe

sov_gwright · ‎12-18-2018

Thanks, I had looked at that but the section on filtering data to null is not explicit on where to put the props and transforms files.

Where do I exclude data from input?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation