https://community.splunk.com/t5/Deployment-Architecture/Understanding-forwarding-filtering-and-license-consumption/m-p/461415#M24223 <P>Hello. I've inherited a 'proof-of-concept' Splunk installation consisting of several linux servers running Splunk Enterprise under a dev license. We've a couple of Indexers, an index master, a deployment server and a single search head. </P> <P>We've got universal forwarders configured on our Windows AD domain controllers that are installing the Spunk_TA_Windows app to the UFs. This app has been configured to whitelist only certain event ID codes via a regexp. </P> <P>My understanding (and this appears to agree with every bit of docs I can find) was that UF forwarded were unable to filter or manipulate data, and that required a Heavy Forwarder to be configured to do things like Regexp,etc. </P> <P>I'm concerned that our UF are consuming too much of our license and that the whitelisting Regexp's in the inputs.conf on the UF aren't effective? Or have I grossly misunderstood (I assume it's me...) </P> <P>The other reason I ask is because we'd also like to pull in selected data from a syslog feed, but we'd absolutely need to filter this before it hits splunk as it'd blow through our license in mins if we didn't. If I can filter windows event logs in a UF via a regexp - can I also filter syslog events in a UF with a regexp ?</P> <P>Thanks <BR /> Dave</P> Wed, 30 Sep 2020 02:38:09 GMT wemb 2020-09-30T02:38:09Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-forwarding-filtering-and-license-consumption/m-p/461415#M24223 <P>Hello. I've inherited a 'proof-of-concept' Splunk installation consisting of several linux servers running Splunk Enterprise under a dev license. We've a couple of Indexers, an index master, a deployment server and a single search head. </P> <P>We've got universal forwarders configured on our Windows AD domain controllers that are installing the Spunk_TA_Windows app to the UFs. This app has been configured to whitelist only certain event ID codes via a regexp. </P> <P>My understanding (and this appears to agree with every bit of docs I can find) was that UF forwarded were unable to filter or manipulate data, and that required a Heavy Forwarder to be configured to do things like Regexp,etc. </P> <P>I'm concerned that our UF are consuming too much of our license and that the whitelisting Regexp's in the inputs.conf on the UF aren't effective? Or have I grossly misunderstood (I assume it's me...) </P> <P>The other reason I ask is because we'd also like to pull in selected data from a syslog feed, but we'd absolutely need to filter this before it hits splunk as it'd blow through our license in mins if we didn't. If I can filter windows event logs in a UF via a regexp - can I also filter syslog events in a UF with a regexp ?</P> <P>Thanks <BR /> Dave</P> Wed, 30 Sep 2020 02:38:09 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-forwarding-filtering-and-license-consumption/m-p/461415#M24223 wemb 2020-09-30T02:38:09Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-forwarding-filtering-and-license-consumption/m-p/461416#M24224 <P>Hi wemb,<BR /> if you filter events before indexing, the filtered events don't consume license.<BR /> Filtering can be applied on Indexers or (when present, but it isn't a need) on Heavy Forwarders, so if you want to filter events you can do on Indexers without an additional HF.<BR /> For additional information see <A href="https://docs.splunk.com/Documentation/Splunk/7.3.2/Forwarding/Routeandfilterdatad">https://docs.splunk.com/Documentation/Splunk/7.3.2/Forwarding/Routeandfilterdatad</A></P> <P>Universal Forwarders don't filter data with the only exception of Windows eventlogs that it's possible to filter events on Universal Forwarder, whitelisting or blacklisting EvenCodes.<BR /> So, if your UF are consuming too much of your license and that the whitelisting Regexp's don't run, probably this is the pèroblem.<BR /> Then if you need to filter syslogs, you can do easily on Indexers (see the above documentation) not on UFs.</P> <P>You can receive syslogs on Indexers but (when possible) I prefer to use two Heavy Forwarders with a Load Balancer to ingest syslogs, in this way I can ingest syslogs without overload Indexers, I can filter them and I can separate this job from the Indexers' jobs (you need two HFs and a Load Balancer to avoid Single Points of Failure).</P> <P>If you use the Windows TAs, you have to enable only the events you need for your use cases: e.g. you could want only security WinEventLogs but not performance monitoring logs, i addition for scripts, you could also change the frequency of execution (e.g. hardware specs only one time at a dayand not everyten minutes.</P> <P>Ciao.<BR /> Giuseppe</P> Wed, 16 Oct 2019 10:53:09 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-forwarding-filtering-and-license-consumption/m-p/461416#M24224 gcusello 2019-10-16T10:53:09Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-forwarding-filtering-and-license-consumption/m-p/461417#M24225 <P>Thanks Giuseppe - it's the "UF's don't filter data <STRONG>with the exception of Windows eventlogs</STRONG>" that was news to me. That explains why we don't have any HF, but our events are still being filtered.</P> <P>I'll try setting up a heavy Forwarder to filter our syslog data before sending it on to Splunk. </P> <P>Thanks<BR /> Dave</P> Wed, 16 Oct 2019 11:07:16 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-forwarding-filtering-and-license-consumption/m-p/461417#M24225 wemb 2019-10-16T11:07:16Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-forwarding-filtering-and-license-consumption/m-p/461418#M24226 <P>Hi wemb,<BR /> I suggest to use two HFs not for filtering, this is an additional feature, but mainly to manage ingestion in a separate way then indexers.<BR /> If you want to use an HF only to filter data, you don't need it!</P> <P>Ciao.<BR /> Giuseppe</P> Wed, 16 Oct 2019 11:23:56 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-forwarding-filtering-and-license-consumption/m-p/461418#M24226 gcusello 2019-10-16T11:23:56Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-forwarding-filtering-and-license-consumption/m-p/461419#M24227 <P>Sorry - I'm confused again now - I'm talking about syslog data now, not windows Event logs - can I filter syslog data to avoid consuming my license on a UF? </P> Wed, 16 Oct 2019 11:53:43 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-forwarding-filtering-and-license-consumption/m-p/461419#M24227 wemb 2019-10-16T11:53:43Z https://community.splunk.com/t5/Deployment-Architecture/Understanding-forwarding-filtering-and-license-consumption/m-p/461420#M24228 <P>No, you can filter your syslog events on Indexers (before indexing) or Heavy Forwarders not on Universal Forwarders!<BR /> Filtering on Indexers doesn't consume license because filtering is an action before indexing and license is calculated only on indexed logs not on received logs.</P> <P>About Heavy Forwarders for syslogs, if you have a small architecture, you can use Indexers to receive syslogs and filter them before indexing.<BR /> If instead you have a large architecture and you want to separate syslog receiving from indexing you can add one (two with a Load Balancer is better) Heavy Forwarder (not Universal Forwarder!) that it's enabled to receive syslogs and filter them before sending to indexers.</P> <P>Ciao.<BR /> Giuseppe</P> Wed, 16 Oct 2019 13:25:54 GMT https://community.splunk.com/t5/Deployment-Architecture/Understanding-forwarding-filtering-and-license-consumption/m-p/461420#M24228 gcusello 2019-10-16T13:25:54Z