Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I filter out certain messages in Splunk Cloud?

ichard
Engager
‎05-31-2016 02:08 AM

I have a data source that is very noisy, and I'd like to exclude certain messages from that source from indexing in my Splunk Cloud instance.

I see from this answer that it's possible to filter out certain messages by editing config files in a self-hosted Splunk instances. How do I accomplish the same thing in Splunk Cloud? I'm guessing that it involves adding a field transformation from the GUI, but I don't understand how to complete the form when I just want to throw away messages that match my regex.

(I don't have enough points to post a link, sorry about that)

Tags (1)
0 Karma
Reply

acharlieh
Influencer
‎05-31-2016 05:33 AM

Basically you come up with props.conf and transforms.conf settings that get applied at index time (whether that's with the UI or by hand, either way). (if it's message that matches a Regex, you would typically have a TRANSFORMS attribute in props, pointing to a stanza in transforms.conf that when your regex matches, it sets the next Queue to the nullQueue. See the example at: http://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad#Filter_event_data_a...

With Splunk Cloud, I'm not sure if you could log a ticket once you've developed the configuration and get them to plop your settings onto your indexers (I would think this falls into "Modifying the configuration settings of your Splunk Cloud deployment" that Splunk Support is supposed to be able to help you with per the FAQ but I'm not a Splunk Cloud customer). The alternative is where you setup a (group of) Heavy Weight (Intermediate) Forwarder(s) ... in this setup instead of having your existing forwarders send directly to Splunk Cloud, they send to the HWFs. The HWFs apply all the parsing and filtering rules, and only forwards on those that you want to. This gives you more instant control of course, with the cost of maintaining more systems and settings obviously.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...