This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6
Set up Splunk to filter out unwanted events before forwarding and indexing. Edit props.conf and transforms.conf on the forwarding side to eliminate unnecessary data before forwarding. Use the $SPLUNK_HOME/etc/bundles/README/props.conf.example and ../transforms.conf.example as examples, or create your own props.conf and transforms.conf. Make any changes in $SPLUNK_HOME/etc/bundles/local/, or your own custom bundle directory. For more information on configuration files in general, see how configuration files work.
Note: You must set up this configuration on the Splunk instance that handles the parsing. Depending on your configuration, this may be the either the indexer or the forwarder instance.
In order to filter out specific events:
In $SPLUNK_HOME/etc/bundles/local/transforms.conf add the following stanza:
[$UNIQUE_STANZA_NAME] REGEX = $YOUR_CUSTOM_REGEX DEST_KEY = queue FORMAT = nullQueue
$YOUR_CUSTOM_REGEX should specify the key term that identifies the events you want to remove.
Leave DEST_KEY and FORMAT with the above values to send identified events to the nullQueue (eg delete them before indexing).
In $SPLUNK_HOME/etc/bundles/local/props.conf add the following stanza:
[<spec>] TRANSFORMS-$name=$UNIQUE_STANZA_NAME
<spec> can be:
{$name}} is whatever unique identifier you want to give to your transform.
$UNIQUE_STANZA_NAME must match the stanza name of the transform you just created in transforms.conf.
This example removes unwanted events such as "Last message repeated n times."
[nullQueueRegex] REGEX = Last message repeated DEST_KEY = queue FORMAT = nullQueue
[source::/var/log/splunk/syslog-ng/vmware.log] TRANSFORMS-vmwarefilter = nullQueueRegex