This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
You can set up Splunk to filter out unwanted events before forwarding and indexing. Edit props.conf and transforms.conf on the forwarding side to eliminate unnecessary data before forwarding.
In order to filter out specific events, do the following two things:
In $SPLUNK_HOME/etc/bundles/local/transforms.conf add the following stanza:
[$UNIQUE_STANZA_NAME] REGEX = $YOUR_CUSTOM_REGEX DEST_KEY = queue FORMAT = nullQueue
$YOUR_CUSTOM_REGEX should specify the key term that will identify the events you want to remove.
Leave DEST_KEY and FORMAT with the above values to send identified events to the nullQueue (eg delete them before indexing).
In $SPLUNK_HOME/etc/bundles/local/props.conf add the following stanza:
[<spec>] TRANSFORMS-$name=$UNIQUE_STANZA_NAME
<spec> can be:
{$name}} is whatever unique identifier you want to give to your transform.
$UNIQUE_STANZA_NAME must match the stanza name of the transform you just created in transforms.conf.
[nullQueueRegex] REGEX = Last message repeated DEST_KEY = queue FORMAT = nullQueue
[source::/var/log/splunk/syslog-ng/vmware.log] TRANSFORMS-vmwarefilter = nullQueueRegex
This example will remove unwanted events such as "Last message repeated n times."