Getting Data In

Don't Index Certain Data

Kyle_Brandt
Path Finder

I have turned on security auditing temporarily in Windows and because of this have exceeded my indexing limit.

I was told when purchasing Splunk that you can prevent certain data from being index with filters to prevent this from happening.

How do I create one of these filters?

Tags (2)
0 Karma

csparling
New Member

Is it also possible to not index certain data if you're not using a forwarder? Our setup is pretty simple in that we only have a single Splunk instance running without any forwarding. I've tried a number of times to set up Splunk to drop data based on the client IP by following the steps outlined but not having any luck!

0 Karma

ziegfried
Influencer

You can find the relevant documentation here: http://www.splunk.com/base/Documentation/4.1.7/Admin/Routeandfilterdata

You need to send those events to the nullQueue via transforms.

gkanapathy
Splunk Employee
Splunk Employee

This should help with the "which files" queston: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F but pretty much if you're using LWF, you filter on the indexer.

0 Karma

Kyle_Brandt
Path Finder

At zeigfried, any chance you could spoonfeed me an example for for wineventlog:security coming in via a light forwarder from certain hosts? Also confused about which props / trans files I should be editing...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...