Documentation > Splunk > Admin Manual > Index Specific Events

Admin Manual

 


Overview
Setting Up Data Inputs
Authentication
Changing the Way Splunk Processes Your Data
Creating and Using Configuration Bundles
Configuring Your Sources
Splunk-2-Splunk Management
Integration
Managing Your Filesystem
How-To's

Index Specific Events

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Index Specific Events

You only want to process events that contained a certain tag and drop everything else. In versions 2.1.2 and later, you will need modify your $SPLUNK_HOME/etc/bundles/local/regexes.conf and props.conf files


Create a filter in regexes.conf


In $SPLUNK_HOME/etc/bundles/local/regexes.conf add the following stanza: 


[allow-regex]
REGEX = //accept pattern//
DEST_KEY = queue
DEFAULT_VALUE = nullQueue
FORMAT = indexQueue

This stanza says that if the event contains the accept pattern to set the processing queue to the indexQueue. If the matter is not matched the default queue value of nullQueue is used and the events are not processed


Create an entry in props.conf


In $SPLUNK_HOME/etc/bundles/local/props.conf add the following stanza: 


[sourcetype | host | source]
REGEXES-filter = allow-regex

Set the sourcetype or host or source to whichever one you want to this filtering to be applied to

Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2/Admin/IndexSpecificEvents"

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!