Filter log data collection
You can filter vCenter Server log data and ESXi log data using nullqueue. nullQueue
discards the data when TA-vmware receives it from the vCenter Server forwarder. Adjust the content of props.conf
to filter data to reduce the volume of data you are indexing. The content in props.conf
works with the content in transforms.conf
to route sourcetypes
to nullQueue
; transforms.conf
performs the actual routing.
Filter vCenter server log data example
- To filter vCenter Server log data, locate the
props.conf
file for Splunk_TA_vcenter on the universal or heavy forwarder on the vCenter Server. You need to find theprops.conf
that exists on the forwarder or indexer that parses events.- If the forwarder on the vCenter Server is a heavyweight forwarder, open its
props.conf
for editing.
- If the forwarder on the vCenter Server is a heavyweight forwarder, open its
- If the forwarder on the vCenter Server is a universal forwarder, find the heavyweight forwarder operating as an intermediate forwarder, or the indexer that parses events, then open its
props.conf
for editing.
- If the forwarder on the vCenter Server is a universal forwarder, find the heavyweight forwarder operating as an intermediate forwarder, or the indexer that parses events, then open its
- In the
props.conf
file, verify thetransforms-routing
attributes which determine how to route the vpxd events are uncommented. Forsourcetype = vmware:vclog:vpxd
, verify the following stanzas are uncommented:#TRANSFORMS-null1 = vmware_vpxd_level_null #TRANSFORMS-null4 = vmware_vpxd_retrieveContents_null #TRANSFORMS-null5 = vmware_vpxd_null
Forsourcetype = vmware:vclog:vpxd-alert
, verify the following stanzas are uncommented:#TRANSFORMS-null2 = vmware_vpxd_level_null,vmware_vpxd_level_null2
Forsourcetype = vmware:vclog:vpxd-profiler
, verify the following stanzas are uncommented:#TRANSFORMS-null3 = vmware_vpxd_level_null,vmware_vpxd_level_null2
Filter ESXi logs example
This example filters ESXi logs to send events with sourcetype=vmware:esxlog:sfcb-vmware
to nullqueue
.
- To filter ESXi logs, locate and open the
props.conf
file for Splunk_TA_esxilogs on the intermediate forwarder for syslog data. You need to find theprops.conf
that exists on the forwarder or indexer that parses events.- If the syslog forwarder is a heavyweight forwarder, open its
props.conf
for editing.
- If the syslog forwarder is a heavyweight forwarder, open its
- If the syslog forwarder is a universal forwarder operating as an intermediate forwarder, find the heavyweight forwarder or the indexer that parses events, then open its
props.conf
for editing.
- If the syslog forwarder is a universal forwarder operating as an intermediate forwarder, find the heavyweight forwarder or the indexer that parses events, then open its
- In the
props.conf
file, create an entry as per the following:[vmw-syslog] TRANSFORMS-z_nullqueue = sfcb_to_null
- Locate and open the
transforms.conf
for Splunk_TA_esxilogs. - Splunk Enterprise filters data based on
sourcetype
at index time. To filter the data bysourcetype
, create an entry as per the following:[sfcb_to_null] SOURCE_KEY = MetaData:Sourcetype REGEX = vmware:esxlog:sfcb-vmware DEST_KEY = queue FORMAT = nullQueue
The transform routes the syslog events based on the string sfcb-vmware
in a syslog event.
For more information on nullQueue
, see Filter event data and send it to queues.
Manage data collection | Configure performance metrics collection |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.4.0
Feedback submitted, thanks!