Filtering and routing
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Filtering and routing
You can set up Splunk to filter out unwanted events before forwarding and indexing. Edit props.conf and transforms.conf on the forwarding side to eliminate unnecessary data before forwarding.
Configuration
In order to filter out specific events, do the following two things:
- Create a regex in transforms.conf that sends the events that match to the null queue.
- Create an entry in props.conf for a specific source, sourcetype or host that will call the appropriate transform.
transforms.conf
In $SPLUNK_HOME/etc/bundles/local/transforms.conf add the following stanza:
[$UNIQUE_STANZA_NAME] REGEX = $YOUR_CUSTOM_REGEX DEST_KEY = queue FORMAT = nullQueue
$YOUR_CUSTOM_REGEX should specify the key term that will identify the events you want to remove.
Leave DEST_KEY and FORMAT with the above values to send identified events to the nullQueue (eg delete them before indexing).
props.conf
In $SPLUNK_HOME/etc/bundles/local/props.conf add the following stanza:
[<spec>] TRANSFORMS-$name=$UNIQUE_STANZA_NAME
<spec> can be:
- <sourcetype>, the sourcetype of an event
- host::<host>, where <host> is the host for an event
- source::<source>, where <source> is the source for an event
{$name}} is whatever unique identifier you want to give to your transform.
$UNIQUE_STANZA_NAME must match the stanza name of the transform you just created in transforms.conf.
Example
transforms.conf
[nullQueueRegex] REGEX = Last message repeated DEST_KEY = queue FORMAT = nullQueue
props.conf
[source::/var/log/splunk/syslog-ng/vmware.log] TRANSFORMS-vmwarefilter = nullQueueRegex
This example will remove unwanted events such as "Last message repeated n times."
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.