Hi Team,
In our environment I can see few of the sourcetypes are coming with *small* from both the internal as well as from non-internal indexes. So hence these logs are not required for us so I want to disable them before ingestion time itself by placing the props and transforms in the indexer level.
So any sourcetype has a keyword with "small" might be like too_small , os_tab_small or anytype then the logs should not be ingested into Splunk. So kindly provide with the props and transforms for the same.
Hi @anandhalagaras1,
Splunk will automatically try to classify your data if you don't specify a sourcetype. For small sets of data, such as less than 100 events, Splunk will label the data as "too_small".
You should find these sources and specify sourcetype for them.
Thank you for your swift response.
So i want to filter out the logs completely if it contains something like *small* in the sourcetype from splunk ingestion so what would be the props and transforms for the same. Since saving some Licenses i want to filter out those logs which comes with sourcetype "*small*"
Just checked the query as you mentioned i can see around 50+ sourcetypes contains with _*small* in the sourcetype so these would of not much important i believe (Correct me if i am wrong?) so I am planning to stop ingesting those logs into Splunk. So any sourcetype which has *small* in it then those logs should not be ingested into Splunk. So kindly help with the props and transforms.