- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- clarification with indexing time and trasforfms.co...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I would like to reduce the license consumption and therefore think of installing HF and applying filtering there.
However, the more I read about it the more I come to the conclusion it will cost me some considerable amount of work as we have quite some number of clients. Also, it looks like the HF is nothing else but Splunk Enterprise, which instead of indexing does transform/ filtering and then forwards the data to the indexer.
So, I am asking myself if it would not be better to skip the HF idea and create the filtering with the help of props.conf / transforms.conf directly on the target indexer, e.g. like that:
props.conf
...
[(?::){0}*hanatraces]
TRANSFORMS-hatracesFilterEvents = hanatracessetnull
transforms.conf
...
[hanatracessetnull]
REGEX=(?m).*i TraceContext TraceContext\.cpp.*\s|(?m).*e ExprConversionTo ConvertExpression\.cpp.*\s|(?m).*STATS_WORKER.*\s
DEST_KEY=queue
FORMAT=nullQueue
Which in this case would filter out the events including corresponding patterns I do not need.
But it would only make sense if the above transforms takes place before indexing/license calculation.
Could anyone confirm it?
Kind Regards,
Kamil
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @damucka,
yes your idea is correct: HF is a complete Splunk Enterprise installation configured to transform events and send them to Indexers.
It's usefun in many Use Cases where I need to concentrate logs (e.g. many Universal Forwarders in a segregate network that I don't want to open to Indexers).
If the load of your indexers isn't too high (or the resources aren't too few) you can filter data in Indexers without problems: I usually do it, I use HFs only when I need to concentrate data, never only for filtering or transforming.
About the license consuption, filteriring is applied before indexing and license calculation, so you haven't license consuption from the deleted logs.
You'll have only a little overload on the Indexers (CPU): use the suggested configurations for Indexers and monitor load and you'll haven't any problem!
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @damucka,
yes your idea is correct: HF is a complete Splunk Enterprise installation configured to transform events and send them to Indexers.
It's usefun in many Use Cases where I need to concentrate logs (e.g. many Universal Forwarders in a segregate network that I don't want to open to Indexers).
If the load of your indexers isn't too high (or the resources aren't too few) you can filter data in Indexers without problems: I usually do it, I use HFs only when I need to concentrate data, never only for filtering or transforming.
About the license consuption, filteriring is applied before indexing and license calculation, so you haven't license consuption from the deleted logs.
You'll have only a little overload on the Indexers (CPU): use the suggested configurations for Indexers and monitor load and you'll haven't any problem!
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all read
https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad
If your data have not been going trough any processing first then you can use props/transforms on your indexer and route events to null queue if you do not want it to be calculated to your licensing. (Same as you can use splunk on a single machine that can take all roles, but it is not recomended for enterprise installations)
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
