Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I limit what kind of events go into Splunk to avoid daily license limit?

rung8
New Member
‎12-17-2018 11:06 AM

Hi everyone,

As the title suggests I was wondering if I can filter the logs that go into Splunk to avoid the daily volume limit. Our catalina logs show a lot of junk, and we only want the good stuff. Letting it index all of it would easily go over the limit.

I looked in the documentations, and it says that I can configure routing and filtering ONLY on a heavy forwarder, not a universal one.

If this is the case, then I should point all my uniForwarders to the heavy forwarder to do the filtering right?

Does sending traffic to nullQueue prevent the daily volume from going up? or does it still take it?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

prakash007
Builder
‎12-17-2018 11:39 AM

@rung8 : you don't have to point all your forwarders to a heavy forwarder, you can filter the unwanted data via nullQueue on the indexers as well, and they are not counted against your license volume(nullQueue process happens during the parsing phase of the pipeline)
Hope this splunk docs will give you an idea...
http://docs.splunk.com/Documentation/Splunk/7.2.1/Forwarding/Routeandfilterdatad#Filter_event_data_a...
http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Configurationparametersandthedatapipeline#Ho...

View solution in original post

Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎12-17-2018 11:44 AM

@prakash007 is correct in his comment. I would caution you when filtering out data however. Sometimes we don't know what we don't know, so be careful to be very specific on your regex when filtering. I have seen several customers who have inadvertently filtered out things that they didn't intend to.

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎01-02-2019 01:44 PM

And other's that use the searches from that data point draw conclusions on incomplete data sets...

0 Karma
Reply
Solved! Jump to solution
Solution

prakash007
Builder
‎12-17-2018 11:39 AM

@rung8 : you don't have to point all your forwarders to a heavy forwarder, you can filter the unwanted data via nullQueue on the indexers as well, and they are not counted against your license volume(nullQueue process happens during the parsing phase of the pipeline)
Hope this splunk docs will give you an idea...
http://docs.splunk.com/Documentation/Splunk/7.2.1/Forwarding/Routeandfilterdatad#Filter_event_data_a...
http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Configurationparametersandthedatapipeline#Ho...

Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...