Saved Bookmarks
| 1. |
What is the way to exclude certain events from being indexed by Splunk? |
|
Answer» In the case where you do not wish to index all of your events in Splunk, what can you do to prevent the entry of those events into Splunk? Debug messages are a good example of this in your application development cycle. Such debug messages can be excluded by putting them in the null queue. This is achieved by specifying a REGEX that matches the necessary events and sending the rest to the NULL queue. Null QUEUES are defined at the forwarder level in transforms.conf. Below is an example that drops all events EXCEPT those containing the debug message. In props.conf [source::/var/log/foo] #By applying transforms in this order #events will be DROPPED to the FLOOR #before being routed to the index processor TRANSFORMS-set = setnull, setparsingIn transforms.conf [setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = debugmessage DEST_KEY = queue FORMAT = indexQueue |
|