Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filtering Sourcetypes which contains an information the information as small

anandhalagaras1
Communicator
‎02-28-2021 07:35 PM

Hi Team,

In our environment I can see few of the sourcetypes are coming with *small* from both the internal as well as from non-internal indexes. So  hence these logs are not required for us so I want to disable them before ingestion time itself by placing the props and transforms in the indexer level.

So any sourcetype has a keyword with "small" might be like too_small , os_tab_small or anytype then the logs should not be ingested into Splunk. So kindly provide with the props and transforms for the same.

 

 

 

Labels (3)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-28-2021 09:19 PM

Hi @anandhalagaras1,

Splunk will automatically try to classify your data if you don't specify a sourcetype. For small sets of data, such as less than 100 events, Splunk will label the data as "too_small". 

You should find these sources and specify sourcetype for them.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

anandhalagaras1
Communicator
‎02-28-2021 09:24 PM

@scelikok ,

Thank you for your swift response.

So i want to filter out the logs completely if it contains something like *small* in the sourcetype from splunk ingestion so what would be the props and transforms for the same. Since saving some Licenses i want to filter out those logs which comes with sourcetype "*small*"

0 Karma
Reply

anandhalagaras1
Communicator
‎02-28-2021 09:31 PM

@scelikok ,

Just checked the query as you mentioned i can see around 50+ sourcetypes contains with _*small* in the sourcetype so these would of not much important i believe (Correct me if i am wrong?) so I am planning to stop ingesting those logs into Splunk. So any sourcetype which has *small* in it then those logs should not be ingested into Splunk. So kindly help with the props and transforms.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...