Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I limit what kind of events go into Splunk to avoid daily license limit?

rung8
New Member
‎12-17-2018 11:06 AM

Hi everyone,

As the title suggests I was wondering if I can filter the logs that go into Splunk to avoid the daily volume limit. Our catalina logs show a lot of junk, and we only want the good stuff. Letting it index all of it would easily go over the limit.

I looked in the documentations, and it says that I can configure routing and filtering ONLY on a heavy forwarder, not a universal one.

If this is the case, then I should point all my uniForwarders to the heavy forwarder to do the filtering right?

Does sending traffic to nullQueue prevent the daily volume from going up? or does it still take it?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

prakash007
Builder
‎12-17-2018 11:39 AM

@rung8 : you don't have to point all your forwarders to a heavy forwarder, you can filter the unwanted data via nullQueue on the indexers as well, and they are not counted against your license volume(nullQueue process happens during the parsing phase of the pipeline)
Hope this splunk docs will give you an idea...
http://docs.splunk.com/Documentation/Splunk/7.2.1/Forwarding/Routeandfilterdatad#Filter_event_data_a...
http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Configurationparametersandthedatapipeline#Ho...

View solution in original post

Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎12-17-2018 11:44 AM

@prakash007 is correct in his comment. I would caution you when filtering out data however. Sometimes we don't know what we don't know, so be careful to be very specific on your regex when filtering. I have seen several customers who have inadvertently filtered out things that they didn't intend to.

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎01-02-2019 01:44 PM

And other's that use the searches from that data point draw conclusions on incomplete data sets...

0 Karma
Reply
Solved! Jump to solution
Solution

prakash007
Builder
‎12-17-2018 11:39 AM

@rung8 : you don't have to point all your forwarders to a heavy forwarder, you can filter the unwanted data via nullQueue on the indexers as well, and they are not counted against your license volume(nullQueue process happens during the parsing phase of the pipeline)
Hope this splunk docs will give you an idea...
http://docs.splunk.com/Documentation/Splunk/7.2.1/Forwarding/Routeandfilterdatad#Filter_event_data_a...
http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Configurationparametersandthedatapipeline#Ho...

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...