We have the add on installed, is there any way to exclude a specific types of events from indexing ?
Hi @rayar,
are you speaking of a Splunk Cloud environment or a Splunk Enterprise on premise?
if Splunk Enterprise on premise, you can follow the instructions at https://docs.splunk.com/Documentation/Splunk/9.0.2/Forwarding/Routeandfilterdatad#Filter_event_data_...
If Splunk Cloud, You have to ask to Splunk Support..
Ciao.
Giuseppe
we are on Splunk Enterprise on premise
is there an option to exclude those events in Splunk Add-on for AWS also ?
Thanks a lot , I was able to filter the data
1 more question , how I can define monitoring stanza for s3://aws-controltower-logs-272341124329 .....
I have tested with
[source::.../aws-controltower-logs-272341124329*/.../*.json.gz]
but I want to add s3://
Hi @rayar,
I never tried because I didn't have the necessity to ingest s3 logs and I usually prefer to use sourcetype instead source and, if possible, I hint to use it so you haven't this problem.
Anyway, you could try with * or consider that stanza a regx, so you could escape (with backslash) the first chars.
Ciao.
Giuseppe
the question is how I mark // is part of the path
I tried to \/\/ but it didn't work
How to mark the specials characters