filter source

chanduira · ‎08-18-2016

Hi Experts,

I am getting data from 10 sources, I want to send 3 source data to nullque.

I tried with below props.conf and transforms.conf configuration. But first source is filtering events from reset is not working.

vi props.conf
[source::ghcmapp]
[source::lsof]
[source::ps]
TRANSFORMS-null = setnull

vi transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

chanduira · ‎08-22-2016

Tried with individual stanza for each source, but its not working.

renjith_nair · ‎08-18-2016

You original config entries might be different but just to confirm, did you add TRANSFORMS-null=setnull under each of the source stanza? If not add the entry to each of the source stanza you want to filter- in this case ghcmapp,lsof,ps

You can set its based on sourcetype spec also , for eg:

[ps]
TRANSFORMS-null = setnull

http://docs.splunk.com/Documentation/Splunk/6.4.2/Forwarding/Routeandfilterdatad#Discard_specific_ev...

---
What goes around comes around. If it helps, hit it with Karma 🙂

filter source

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation

filter source

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A