All Apps and Add-ons

Splunk App For VMware. DCN. avoid collecting some data

splunk0
Path Finder

Is there a way to not collect a whole sourcetype?
I do not wish to collect vmware:perf:datastore, vmware:perf:disk maybe more.
AFAIK, adding to "VM Metric Blacklist" will only not index specific metrics within a group, but not the whole group.

0 Karma
1 Solution

ivanreis
Builder

I suggest to filter those sourcetype using props and transforms, creating regex expression. Here is link with a sample.
https://answers.splunk.com/answers/107605/filtering-events-out-via-props-conf-and-transforms-conf.ht...

it can be something like this:

props.conf

[type_your_sourcetype_here_for-vmware]
TRANSFORMS-Filterdatastoredisk = FilterVmware

transforms.conf
[FilterVmware]
REGEX =(?msi)vmware:perf\S(datastore|disk)
DEST_KEY = queue
FORMAT = nullQueue

For the regex expression, please validate the code, it can be similar with I did, but you have to check it against your data.
For testing the regex expression, this regex on-line tool can be used: https://regex101.com/

View solution in original post

ivanreis
Builder

you have to specify in your regex expression at tranforms.conf what is the counters you don't want to index, otherwise, it will through away the entire sourcetype. I believe in your case, you have to create more than one regex expression to match the counters you want to drop from indexing.

something like this:

[typeyoursourcetypeherefor-vmware]
TRANSFOMRS-Filterdatacount1=filtercount1

TRANSFOMRS-Filterdatacount1=filtercount2

transforms.conf

[filtercount1]
REGEX =(?msi)vmware:perf\S(change the regex to match the sourcetype/counter)
DEST_KEY = queue
FORMAT = nullQueue

[filtercount2]
REGEX =(?msi)vmware:perf\S(change the regex to match the sourcetype/counter)
DEST_KEY = queue
FORMAT = nullQueue

0 Karma

ivanreis
Builder

I suggest to filter those sourcetype using props and transforms, creating regex expression. Here is link with a sample.
https://answers.splunk.com/answers/107605/filtering-events-out-via-props-conf-and-transforms-conf.ht...

it can be something like this:

props.conf

[type_your_sourcetype_here_for-vmware]
TRANSFORMS-Filterdatastoredisk = FilterVmware

transforms.conf
[FilterVmware]
REGEX =(?msi)vmware:perf\S(datastore|disk)
DEST_KEY = queue
FORMAT = nullQueue

For the regex expression, please validate the code, it can be similar with I did, but you have to check it against your data.
For testing the regex expression, this regex on-line tool can be used: https://regex101.com/

pruthvikrishnap
Contributor

While configuring the app, there are some options to blacklist. you can specify them here to be ignored and collect the rest.

0 Karma

splunk0
Path Finder

As I wrote in the post, the black.white list is for specific counters, not whole type like vmware:perf:disk for host

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...