Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all articles
Browse latest Browse all 47296

Will SEDCMD replace strings in particular events before indexing and send it to nullQueue?

$
0
0
I have been using both the SEDCMD and nullQueue to remove unnecessary events and strings in particular events. transforms.conf REGEX = (Hostname:\slocalhost) DEST_KEY = queue FORMAT = nullQueue Above transforms.conf will not index the events which contain hostname as localhost. Which is a good way to eliminate indexing unnecessary events like this. nullQueue will remove entire event and don't have the capability to remove string in the event instead of removing entire event. So I adopted to use SEDCMD to replace the particular string with empty space in all the events. But my question is if I use SEDCMD will replace the string before indexing and send to nullQueue so that daily indexing volume will increase? Can someone suggest on this?

Viewing all articles
Browse latest Browse all 47296

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>