https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298481#M35657 <P>I am currently evaluating Splunk Cloud for analyzing application logs which we are collecting in Azure Blob Storage.</P> <P>I have the Splunk Add-On for Microsoft Cloud Services installed. I currently have a single Storage Account configured, with a single Input using that account. I have not configured any Office 365, or any other account or connector. But I am seeing thousands and thousands of meaningless events of <CODE>sourcetype="ms:o365:management"</CODE>:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4650i711FDA99F15FDC45/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Where are they coming from?</P> <P>How can I stop them being indexed?</P> <P>How can I delete them all once I have stopped them being collected?</P> <P>Any help would be greatly appreciated.</P> Thu, 29 Mar 2018 21:41:19 GMT davidsykes 2018-03-29T21:41:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298481#M35657 <P>I am currently evaluating Splunk Cloud for analyzing application logs which we are collecting in Azure Blob Storage.</P> <P>I have the Splunk Add-On for Microsoft Cloud Services installed. I currently have a single Storage Account configured, with a single Input using that account. I have not configured any Office 365, or any other account or connector. But I am seeing thousands and thousands of meaningless events of <CODE>sourcetype="ms:o365:management"</CODE>:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4650i711FDA99F15FDC45/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Where are they coming from?</P> <P>How can I stop them being indexed?</P> <P>How can I delete them all once I have stopped them being collected?</P> <P>Any help would be greatly appreciated.</P> Thu, 29 Mar 2018 21:41:19 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298481#M35657 davidsykes 2018-03-29T21:41:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298482#M35658 <P>Perhaps a Heavy Forwarder is sending this data in to your Splunk Cloud environment. Click the Hosts tab to see which hosts are sending data, or use a search like below:</P> <PRE><CODE>sourcetype=ms* | stats count by host sourcetype </CODE></PRE> Thu, 29 Mar 2018 22:31:25 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298482#M35658 jconger 2018-03-29T22:31:25Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298483#M35659 <P>Thanks for your reply. All of the <CODE>ms*</CODE> source types are coming from <CODE>127.0.0.1</CODE>. I am not sure I know exactly what a "Heavy Fowarder" is (I am new to Splunk), but from context I don't think they would show as coming from the localhost, right?</P> Thu, 29 Mar 2018 23:03:07 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298483#M35659 davidsykes 2018-03-29T23:03:07Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298484#M35660 <P>I will edit the original question to include this information.</P> Thu, 29 Mar 2018 23:03:35 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298484#M35660 davidsykes 2018-03-29T23:03:35Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298485#M35661 <P>Ok, seems I can't edit my question any more. Oh well.</P> Thu, 29 Mar 2018 23:04:23 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298485#M35661 davidsykes 2018-03-29T23:04:23Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298486#M35662 <P>What is the source of the data? </P> <PRE><CODE>sourcetype="ms:o365:management" | stats count by source </CODE></PRE> <P>This may give some indication on what input is generating the data.</P> Fri, 30 Mar 2018 00:57:23 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298486#M35662 ragedsparrow 2018-03-30T00:57:23Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298487#M35663 <P>Thanks for the reply. It appears the source is <CODE>eventgen</CODE>. Looking this up on <A href="https://splunkbase.splunk.com/app/1924/">Splunkbase</A> makes me think this is for generating test data and is definitely something I do not need.</P> <P>I will go and disable and/or delete it, if I can figure out how.</P> Fri, 30 Mar 2018 01:24:41 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298487#M35663 davidsykes 2018-03-30T01:24:41Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298488#M35664 <P>It turns my trial Splunk Cloud instance included both <A href="https://splunkbase.splunk.com/app/1924/">Eventgen</A> and <A href="https://splunkbase.splunk.com/app/1934/">Splunk Reference App - PAS</A>, both of which are intended for app developers and were generating a very large number of events, which were of course no interest to me.</P> <P>Thanks to both <CODE>jconger</CODE> and <CODE>ragedsparrow</CODE> for pointing me to the source of the events, which led me to figuring out how to disable those apps.</P> Fri, 30 Mar 2018 01:43:23 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298488#M35664 davidsykes 2018-03-30T01:43:23Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298489#M35665 <P>You can go to the app location:</P> <PRE><CODE>$SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/default </CODE></PRE> <P>Once you are there, delete eventgen.conf and restart Splunk.</P> <P>That should take care of it. The caveat to that is that you will need to delete it again if you update the app later on.</P> Fri, 30 Mar 2018 02:02:58 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298489#M35665 ragedsparrow 2018-03-30T02:02:58Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298490#M35666 <P>How do I access that in Splunk Cloud?</P> Fri, 30 Mar 2018 02:38:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298490#M35666 davidsykes 2018-03-30T02:38:40Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298491#M35667 <P>You should be able to disable the Eventgen app under the Manage Apps section. On the upper left, you should see the <STRONG>Manage Apps</STRONG> listed in the Apps drop down. You should be able to disable the Eventgen app there. </P> <P>You can also access it by going to:</P> <P>/en-US/manager/launcher/apps/local</P> <P>example: <A href="https://mysplunkinstance.com:8000/en-US/manager/launcher/apps/local">https://mysplunkinstance.com:8000/en-US/manager/launcher/apps/local</A></P> Fri, 30 Mar 2018 04:01:19 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-my-Splunk-Cloud-index-filling-up-with-spurious-events/m-p/298491#M35667 ragedsparrow 2018-03-30T04:01:19Z