Splunk Enterprise

Event filter on WEC vs Event blacklist on UF

adalbor
Builder

Hey All,

I am comparing two routes to blacklist/filter events.

1) Filter events out at our WEC's using the event filter
2) Blacklist the events on the Universal Forwarders

We currently have different events filtered/blacklisted in both areas but I want to consolidate for mgmt purposes and for ease of use.
If there any benefits to either or?

Filtering on the WEC means its not collecting the events period saving storage space and resource usage. I cant find anywhere though that documents or defines any performance hits by doing that on the WEC subscriptions.

I do love that I can use a regex to filter out specific things like process names on 4688's on the UF.

I was thinking filter out all full events I don't want on the WEC then using the blacklist on the UF to filter out specific events from certain event types like the 4688.

Any thoughts or guidance?

Thanks!
Andrew

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

The benefit of filtering at the UF is the ability to easily change the blacklisting. If you are filtering out things at the WEC, then the data isn't there at all. So, in short, if you think you might need it at some point, then I would say to collect it and blacklist.

0 Karma

sloshburch
Splunk Employee
Splunk Employee
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...