Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to not index some data or send it to null queue

surekhasplunk
Communicator
‎04-02-2020 01:29 AM

Hi,

I want to know if there is some mechanism by which i can stop indexing a particular kind of data like if
segment_name="Enforced segment"

From getting indexed.

My inputs.conf has following entry

[monitor:///opt/splunk/logs/check//.log]
disabled = 0
host_segment = 5
sourcetype = check_logs
index = check

here i dont want those lines to get indexed if any of the log files has this pattern in it (segment_name="Enforced segment")

Is it possible ?

Thanks

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
SplunkTrust
SplunkTrust
‎04-02-2020 01:56 AM

Yes, add these configurations and check:

props.conf

[check_logs]
TRANSFORMS-null_queue = data_nullq

transforms.conf

[data_nullq]
DEST_KEY = queue
REGEX = segment_name=\"Enforced segment\"
FORMAT = nullQueue

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
SplunkTrust
SplunkTrust
‎04-02-2020 01:56 AM

Yes, add these configurations and check:

props.conf

[check_logs]
TRANSFORMS-null_queue = data_nullq

transforms.conf

[data_nullq]
DEST_KEY = queue
REGEX = segment_name=\"Enforced segment\"
FORMAT = nullQueue
0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎04-02-2020 02:36 AM

Hi @manjunathmeti ,

thanks for quick reply

Only modification i did is i added like below for REGEX
REGEX = (segment_name=Enforced segment)

This will work right ? since i dont have that double quotes just equalto symbol is there.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
SplunkTrust
SplunkTrust
‎04-02-2020 02:37 AM

yes, this will work.

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎04-02-2020 02:45 AM

Thanks @manjunathmeti,

I have one more query if you are aware how to confirm that those have started going to the nullqueue?
where can i check to get an confirmation that they are now going to the null queue

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
SplunkTrust
SplunkTrust
‎04-02-2020 02:56 AM

Check: index=_internal sourcetype=splunkd component=metrics processor=nullqueue group=pipeline

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎04-02-2020 03:33 AM

Thanks a lot ..
For now am not seeing anything related to my configuration change. but i think will something soon ..

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎04-03-2020 01:23 AM

Hi @manjunathmeti ,

Now the issue is they are getting blocked but other indexes are also effected by this change dont know why

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
SplunkTrust
SplunkTrust
‎04-03-2020 01:27 AM

If you are using same sourcetype name for other indexes or monitors then this chnage will affect them. You can set unique sourcetype to this monitor or change stanza in propsc.conf as below:

[source::/opt/splunk/logs/check/*.log]
TRANSFORMS-null_queue = data_nullq
0 Karma
Reply
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...