Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to exclude particular host for a input

moin140586
New Member
‎04-28-2021 10:44 PM

i have a index which has 3 inputs for security/application/system, since there is a need for application log for another app for same host , i want to exclude it from other one. how can we achieve this.

Labels (1)
Labels
0 Karma
Reply

aasabatini
Motivator
‎04-29-2021 12:06 AM

Hi @moin140586 

 

try this configuration:

props.conf

[host::<hostname>]
index=<your index>
TRANSFORMS-set= setnull

Transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

please add your correct index and hostname in a props stanza

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top