Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I filter incoming data to prevent license violations?

cparker4486
Engager
‎11-10-2011 12:02 PM

Hello,

I'm attempting to use the free edition but with only collecting data from the local machine I'm filling up my 500MB quota in just a few hours.

I don't know if Splunk works this way but I thought I could cut back on incoming data by filtering out informational log events. That is I would like to accept only warnings and errors.

Is this possible?

Reply

hokie1999
Explorer
‎07-22-2013 09:57 AM

Can I blacklist from the indexers and save myself some typing? Send a link to the doc that explains this, thanks.

0 Karma
Reply

Ayn
Legend
‎11-10-2011 12:57 PM

It certainly is. You do this by matching events that should be sent to the "nullQueue" instead of the "indexQueue". The docs have good descriptions with examples on how to achieve this: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Discard_specific_event...

Reply

jbsplunk
Splunk Employee
Splunk Employee
‎11-10-2011 01:55 PM

nullQueue routing is the only way to prevent the indexing of certain types of data. You can set up transforms for different sources/hosts/sourcetypes, so there is a good amount of flexibility on how you'd want to call the transform to perform this action. So it isn't like you've really got limitations in terms of having to create a single list.

0 Karma
Reply

cparker4486
Engager
‎11-10-2011 01:30 PM

Thanks for the information. After doing some research this system is turning out to be quite a bit more complicated than I expected. The biggest problem I see is that there are so many different types of events with different formats that I can not reasonably maintain an include/exclude list. Do you have any further advice on this?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...