Getting Data In

How to stop indexing a specific log for a particular switch in my production environment?

vineeth10
New Member

Hello,

There is request from my client to stop indexing a specific log for a particular switch in my production.
For ex: I want to stop indexing a log for user login on device 10.xx.xx.xx.
Just for an single device.

Is there any way I can archive this?

Tags (2)
0 Karma

spsrasru
Path Finder

Try this

props.conf: (you can replace sourcetype with syslog)

[syslog]
TRANSFORMS-switch = switchFilter

transforms.conf:

[switchFilter]
REGEX = 10.xx.xx.xx
DEST_KEY = queue
FORMAT = nullQueue

Make sure you reload the splunk (https://:8000/debug/refresh) or restart the splunk service after applying the props and tranforms.

Thanks,
Sp

0 Karma

vineeth10
New Member

hope it won't stop entire logs for the particular device, as the intention is not to stop the entire logs but just a specify log from the device.

0 Karma

spsrasru
Path Finder

Never mind. I thought you are trying to stop all the events from particular device. the above configuration i gave is to stop all the events.

shaskell is already gave what you need but to discard specific events and keep the rest:

props:

[host::10.xx.xx.xx]
TRANSFORMS-null= setnull

transforms:

[setnull]
REGEX = string you need to discard
DEST_KEY = queue
FORMAT = nullQueue

0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

Can you clarify how the data is getting into Splunk? Is it coming directly from the switch via Syslog or from a Syslog aggregation point using the Universal Forwarder?

If there's no way to disable the logging directly at the source and you just don't want the data indexed than you can configure Splunk to send the data to the null queue for that source IP address of the device. You do need to validate the IP address is the actual hostname from a Splunk search and if it's not, update the host stanza to the correct hostname for the device.

It's going to be a combination of props and transforms on your indexer(s).

props.conf

[host::10.xx.xx.xx]
TRANSFORMS-null = setnull

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
0 Karma

vineeth10
New Member

i tried but it didn't work 😞

0 Karma

vineeth10
New Member

We have pointed the syslog as splunk server.there is no universal forwarder. So if an user login in to the switch i don't want that log should be capture on splunk.

0 Karma

masonmorales
Influencer

@vineeth10 You may want to take a look at this: http://www.georgestarcher.com/splunk-success-with-syslog/

0 Karma

shaskell_splunk
Splunk Employee
Splunk Employee

Try the method I've suggested to drop any events coming from that device from being indexed. The key is to make sure you have the correct hostname in the props.conf stanza.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...