- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to not index some data or send it to null queu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I want to know if there is some mechanism by which i can stop indexing a particular kind of data like if
segment_name="Enforced segment"
From getting indexed.
My inputs.conf has following entry
[monitor:///opt/splunk/logs/check//.log]
disabled = 0
host_segment = 5
sourcetype = check_logs
index = check
here i dont want those lines to get indexed if any of the log files has this pattern in it (segment_name="Enforced segment")
Is it possible ?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, add these configurations and check:
props.conf
[check_logs]
TRANSFORMS-null_queue = data_nullq
transforms.conf
[data_nullq]
DEST_KEY = queue
REGEX = segment_name=\"Enforced segment\"
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, add these configurations and check:
props.conf
[check_logs]
TRANSFORMS-null_queue = data_nullq
transforms.conf
[data_nullq]
DEST_KEY = queue
REGEX = segment_name=\"Enforced segment\"
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @manjunathmeti ,
thanks for quick reply
Only modification i did is i added like below for REGEX
REGEX = (segment_name=Enforced segment)
This will work right ? since i dont have that double quotes just equalto symbol is there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, this will work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @manjunathmeti,
I have one more query if you are aware how to confirm that those have started going to the nullqueue?
where can i check to get an confirmation that they are now going to the null queue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check: index=_internal sourcetype=splunkd component=metrics processor=nullqueue group=pipeline
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot ..
For now am not seeing anything related to my configuration change. but i think will something soon ..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @manjunathmeti ,
Now the issue is they are getting blocked but other indexes are also effected by this change dont know why
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using same sourcetype name for other indexes or monitors then this chnage will affect them. You can set unique sourcetype to this monitor or change stanza in propsc.conf as below:
[source::/opt/splunk/logs/check/*.log]
TRANSFORMS-null_queue = data_nullq
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
