Documentation > Splunk > Admin Manual > Filter unwanted events before indexing

Admin Manual

 


Overview
Setting Up Data Inputs
Authentication
Changing the Way Splunk Processes Your Data
Creating and Using Configuration Bundles
Configuring Your Sources
Splunk-2-Splunk Management
Integration
Managing Your Filesystem
How-To's

Filter unwanted events before indexing

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Filter unwanted events before indexing

This example will remove unwanted events such as "Last message repeated 35 times."


In order to filter out the specific event you will need to do 2 things:


  1. Create an entry in props.conf for that source (or sourcetype) that will call the appropriate regex
  2. Create a regex in transforms.conf that sends events that match to the null queue

Create an entry in props.conf:


In $SPLUNK_HOME/etc/bundles/local/props.conf add the following stanza: 


	[source::/var/log/splunk/syslog-ng/vmware.log]
	TRANSFORMS-vmwarefilter = nullQueueRegex

Create an entry in transforms.conf:


In $SPLUNK_HOME/etc/bundles/local/transforms.conf add the following stanza: 


    
    [nullQueueRegex]
    REGEX = Last message repeated
    DEST_KEY = queue
    FORMAT = nullQueue
Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2.3/Admin/FilterUnwantedEventsBeforeIndexing"

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!