Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Configure Splunk to ignore logs from some VMs on the same physical host

namrithadeepak
Path Finder
‎03-28-2017 10:17 PM

Hi,

I have a setup (shown in pics) in which a bunch of forwarders are sending data to Splunk. One of the forwarders has many VMs on a single physical machine.

I would like to receive data only from vm2, and not ingest logs from vm1,3 and 4. I also want to send _internal logs from this VM to the indexer.

I do not want to touch any of the other forwarder-indexer connections.

I would preferably do it on the forwarder instead of the indexer, because the indexer is already receiving logs from other forwarders.

Please guide me, what settings should I change.

Thanks,
Namritha

alt text

Tags (1)
Preview file
1 KB
0 Karma
Reply

jcrabb_splunk
Splunk Employee
Splunk Employee
‎03-29-2017 06:09 AM

I would recommend reviewing the Route and Filter Data document, specifically you could route the unwanted data to the nullqueue which is discussed in that same document further down the page, HERE.

Jacob
Sr. Technical Support Engineer
0 Karma
Reply

namrithadeepak
Path Finder
‎03-29-2017 09:36 AM

Thankyou.

I would like to route events to null queue based on the source, since the source has the vm name in its format.

source=/directory to log/hostName-vmName-TypeofLog.log

How do I do the null queue routing based on the source name?

0 Karma
Reply

jcrabb_splunk
Splunk Employee
Splunk Employee
‎03-30-2017 05:50 AM

I would agree its better to not ingest the files if that is an option. If that is not an option, you can use source as outlined in the link I posted previously (HERE), it provides an example for source:

[source::/var/log/messages]
TRANSFORMS-null= setnull
Jacob
Sr. Technical Support Engineer
0 Karma
Reply

adonio
Ultra Champion
‎03-29-2017 09:54 AM

why would you like to use null queue?
if this is the path to the file you can just specify the [monitor] stanza in inputs.conf
something like this:

[monitor://directory_to_log/hostName-vm2-TypeofLog.log]
sourcetype = sourcetype
index = index

this will save you from monitoring all teh logs on the forwarder and filtering on the indexer...
hope this makes sense

0 Karma
Reply

namrithadeepak
Path Finder
‎03-29-2017 11:13 AM

Thankyou.

My requirement is specifically allows all logs except those having vm1, vm3 and vm4 in their source.
So, if source is hostname_vm1_logname, host_vm3_logname, hostname_vm4_logname, block them.

Allow all other logs to flow through.

All internal logs, and any other logs that may get added on vm2 also needs to be allowed.

Its more a problem BLOCK a few logs and ALLOW everything else.

0 Karma
Reply

gfreitas
Builder
‎03-29-2017 12:47 AM

Could you post your inputs.conf of this forwarder?

0 Karma
Reply

adonio
Ultra Champion
‎03-29-2017 08:38 AM

Hi Namritha
You can configure your inuputs.conf on this particular forwarder to monitor data from VM2 only.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...