Hi,
I wana keep only logs Not containing the word "chatbot".
This word is present in the _raw data
I'm using the method explained in the following doc : Routeandfilterdatad
The props.conf and transforms.conf are set on the indexers and I restarts my indexers
But logs with this word are still present.
Any idea, or way to debug this point ?
props.conf
[MySourcetype]
INDEXED_EXTRACTIONS = JSON
TIME_PREFIX=\"timestamp\":
TIME_FORMAT=%s%3N
#Do not index chatbot data
TRANSFORMS-null = API-NullQueue
transforms.conf
[API-NullQueue]
REGEX = chatbot
DEST_KEY = queue
FORMAT = nullQueue
Thank's all.
 
		
		
		
		
		
	
			
		
		
			
					
		I seem to recall something about index-time operation not working when used with indexed extractions.
Also, if you're using 9.0 you can use Ingest Actions to filter data.
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi @_olivier_,
this configuration must be located on Indexers or (when present) on intemediate Heavy Forwarders.
have you intermediate HFs in your architecture?
Did you checked the regex you are using? in other words in eachevent to discard is the "chatbot" word present?
Ciao.
Giuseppe
Hi,
Thank you for your rapid answer !
I have no HF on this part of my network, only UF forwarding data to indexers
I checked the regex on regex101 this word is matching each line I need to send to nullqueue.
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi @_olivier_,
let me understand:
only two final (very stupid) questions:
Ciao.
Giuseppe
@gcusello , yes to all the final (not stupid) questions !
@PickleRick , My servers are 8.2.5, maybe a point to upgrade !
I will open a case and come back with their advises.
Thank's all!
Olivier
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi @_olivier_,
ok, the only dubt is the one mentioned by @PickleRick: I searched in documentatio by I didn't find any information about this.
So, to be more sure: open a case to Splunk Support, they will surely and quicly give you the correct answer.
Ciao.
Giuseppe
 
		
		
		
		
		
	
			
		
		
			
					
		There doesn't seem to be a direct mention about that in docs.
But it does make sense. If you set indexed_extractions, the extraction is done _at the UF level_ when the file is read. So it is pushed further downstream in parsed form, not cooked. So subsequent components do not run props/transforms.
