Getting Data In

ignore all static content files from indexing

safe_splunk
Explorer

Hi,

I tried props.conf and transforms.conf solution but it did not work.

props.conf

[access_combined]
pulldown_type = true
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
TRANSFORMS-set= strip_images_header

transforms.conf

[strip_images_header]
REGEX = *.jpg*
DEST_KEY = queue
FORMAT = nullQueue

But .jpg files are still indexing on access_combined sourcetype logs. What do i do wrong?
Please Help

Tags (1)
0 Karma

safe_splunk
Explorer

REGEX = (.jpg|.png|.gif|.xml|.ico|.css|.js)

ok all set thanks friends.

0 Karma

Ayn
Legend

Your regex is syntactically incorrect. You can verify here for instance: http://regexpal.com/

You probably want something like REGEX = \.jpg$

More information about regular expressions: http://www.regular-expressions.info/

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Sure, from a regex point of view that's still one expression, only slightly more complex:

REGEX = \.(jpg|png|gif)$
0 Karma

safe_splunk
Explorer

All set thanks for help friends.
Last question is can i write multiple entries in one regexp line?

such as

REGEXP .jpg|.png|.gif

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you're putting this config onto a universal forwarder then nothing's going to happen because the UF doesn't parse the input data. You need to configure this on the indexers or heavy forwarders.

0 Karma

safe_splunk
Explorer

Thanks i find that out and changed it on the forwarder configs but still did not work. Now I try same config on the indexer configs. Waiting for result restart takes time too big. > 50TB.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!