Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to prevent the indexing of particular error. Is it possible to filter by Message?

cmahan
Path Finder
‎08-28-2015 01:59 PM

I can't quite find a way to block this particular event from being indexed. Blacklisting doesn't seem to be an option and the transforms regex method is just a little over my head in this scenario.. here is the event below. This one event generates over a million events a week and is killing my license. I need to block it until the issue is resolved and it is taking a while to nail it down.

LogName=Application
SourceName=SlxSearchTrigger
EventCode=4
EventType=2
Type=Error
ComputerName=Example-SLX
TaskCategory=None
OpCode=None
RecordNumber=237604
Keywords=Classic
Message=Execute Method: Recordset not returned from Trigger_Params
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-30-2015 11:20 AM

If what you listed is the raw log text (not field names with values) then you can do something like this on your Indexers:

props.conf

[PutYourSourcetypeHere]
TRANSFORMS-license_killers = recordset_not_returned

###transforms.conf

[recordset_not_returned]
REGEX = (?m)^Message=Execute Method: Recordset not returned from Trigger_Params$
DEST_KEY = queue
FORMAT = nullQueue

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-30-2015 11:20 AM

If what you listed is the raw log text (not field names with values) then you can do something like this on your Indexers:

props.conf

[PutYourSourcetypeHere]
TRANSFORMS-license_killers = recordset_not_returned

###transforms.conf

[recordset_not_returned]
REGEX = (?m)^Message=Execute Method: Recordset not returned from Trigger_Params$
DEST_KEY = queue
FORMAT = nullQueue
Reply
Solved! Jump to solution

cmahan
Path Finder
‎08-31-2015 12:32 PM

Thanks!. I'll give it a shot today.

0 Karma
Reply
Solved! Jump to solution

cmahan
Path Finder
‎09-04-2015 06:14 AM

Once I finally realized this was for the indexer, not the forwarders, I got it working. Thanks! I had been thinking we had to prevent the data from even going to the indexer. This seems to be doing the trick, as I have stopped the events from showing up in search - and also it appears the license consumption has gone down some.. not as much as expected, but it is better!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...