Re: Would like to block a specific Source going to...

evolutionxtinct · ‎01-15-2019

Hello Community,

Resources:
- Splunk Enterprise On-Prem = v7.1.2
- F5-BIGIP = v13.1.0
- Using: F5 Analytics iApp v3.7.2RC5
- Kiwi SYSLOG (Heavy Forwarder that has a Uni. Forwarder assigned)

Issue:
I'm currently getting bombarded with over 65k events every few seconds that is related to performance data for Memory/CPU, this data comes into our Indexer and is labeled as source=bigip.tmstats.memory_usage_stat I would like to drop this source from being indexed as its taking up close to 80% of my daily license right now.

Please Note: I'm not a heavy Splunk Admin person, so please be gentle.... I break easily 🙂

Any help is greatly appreciated, thanks!

dkeck · ‎01-16-2019

Hi,

sounds like thats an input of your F5 BIGIP app, just find the inputs,conf on your F5 app and disable the input with the source source=bigip.tmstats.memory_usage_stat

If you can´t find it just grep for it on your CLI in $SPLUNK_HOME/splunk/etc/apps grep -R bigip.tmstats.memory_usage_stat

OR use btool ( in $SPLUNK_HOME/splunk/bin) type ./splunk cmd btool inputs list --debug | grep bigip*

Also check your modular inputs for F5 https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Configureinputs

dkeck · ‎01-16-2019

If it was helpfull please accept the answer, thank you

Would like to block a specific Source going to a Heavy Forwarder

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!