https://community.splunk.com/t5/Getting-Data-In/Splunk-AWS-Blacklist-on-AccountID-Splunk-Cloud/m-p/582336#M102597 <P>Hi, I am currently using the AWS Add-on for Splunk, and am looking to see if I can blacklist based on regex other than the applications UI for blacklisting based on eventnames. (using the blacklist method provided by the app:&nbsp;<A href="https://docs.splunk.com/Documentation/AddOns/latest/AWS/CloudTrail" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/AddOns/latest/AWS/CloudTrail)</A></P><P>&nbsp;</P><P><FONT face="inherit">I have a central Cloudtrail for all of my accounts and looking to send logs from a certain account to nullque so they are not ingested. The logs do have a field for AccountID. Reason being the specific logs from the account are about 80 percent of my ingestion and are not needed. I saw this article but as </FONT>mentioned<FONT face="inherit">&nbsp;before I am not able to modify these files directly due to being on Splunk Cloud:&nbsp;</FONT><A href="https://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest</A></P><P>&nbsp;</P><P>Since I do not have access to modify transform.conf or props.conf.&nbsp; I was told I could modify the applications .conf files and send a zipped folder of the modified contents for Splunk team to upload and install.</P><P>Currently I do have blacklisting implemented on EventNames as this is part of the application.&nbsp; Is there any guidance on how I can blacklist based on regex such as accountID=(id for account I want to send to nullque)?</P> Tue, 25 Jan 2022 00:00:59 GMT SplunkJ1 2022-01-25T00:00:59Z https://community.splunk.com/t5/Getting-Data-In/Splunk-AWS-Blacklist-on-AccountID-Splunk-Cloud/m-p/582336#M102597 <P>Hi, I am currently using the AWS Add-on for Splunk, and am looking to see if I can blacklist based on regex other than the applications UI for blacklisting based on eventnames. (using the blacklist method provided by the app:&nbsp;<A href="https://docs.splunk.com/Documentation/AddOns/latest/AWS/CloudTrail" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/AddOns/latest/AWS/CloudTrail)</A></P><P>&nbsp;</P><P><FONT face="inherit">I have a central Cloudtrail for all of my accounts and looking to send logs from a certain account to nullque so they are not ingested. The logs do have a field for AccountID. Reason being the specific logs from the account are about 80 percent of my ingestion and are not needed. I saw this article but as </FONT>mentioned<FONT face="inherit">&nbsp;before I am not able to modify these files directly due to being on Splunk Cloud:&nbsp;</FONT><A href="https://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest</A></P><P>&nbsp;</P><P>Since I do not have access to modify transform.conf or props.conf.&nbsp; I was told I could modify the applications .conf files and send a zipped folder of the modified contents for Splunk team to upload and install.</P><P>Currently I do have blacklisting implemented on EventNames as this is part of the application.&nbsp; Is there any guidance on how I can blacklist based on regex such as accountID=(id for account I want to send to nullque)?</P> Tue, 25 Jan 2022 00:00:59 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-AWS-Blacklist-on-AccountID-Splunk-Cloud/m-p/582336#M102597 SplunkJ1 2022-01-25T00:00:59Z https://community.splunk.com/t5/Getting-Data-In/Splunk-AWS-Blacklist-on-AccountID-Splunk-Cloud/m-p/582345#M102601 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/242449">@SplunkJ1</a>&nbsp;</P><P>May be you shall a create a private app having props , transforms conf having stanzas to send matching accountid events to nullQueue and deploy using this process to the instance where AWS add-on is running already.</P><P>You don't need to edit the same .conf files in the add-on , instead you can create a private app having your custom configs for sourcetype aws:cloudtrail. Splunk determines at the run-time and merge all of them together, After installation of private app (UI disabled) in on-prem splunk a restart of HF/Splunk instance is required. In SplunkCloud case you shall check how that works.</P><P>Hope this helps!</P><P><A href="https://dev.splunk.com/enterprise/docs/releaseapps/manageprivatecloud/" target="_blank">https://dev.splunk.com/enterprise/docs/releaseapps/manageprivatecloud/</A></P><P>--</P><P>An upvote would be appreciated if this reply helps!</P> Tue, 25 Jan 2022 02:32:08 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-AWS-Blacklist-on-AccountID-Splunk-Cloud/m-p/582345#M102601 venkatasri 2022-01-25T02:32:08Z https://community.splunk.com/t5/Getting-Data-In/Splunk-AWS-Blacklist-on-AccountID-Splunk-Cloud/m-p/582421#M102618 <P>Ok that is interesting. So if I upload a new app with only a transform, props conf with the exact same stanza (sourcetype) in the official app, it will add the rules for my private app's stanza to the main?</P> Tue, 25 Jan 2022 17:02:41 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-AWS-Blacklist-on-AccountID-Splunk-Cloud/m-p/582421#M102618 SplunkJ1 2022-01-25T17:02:41Z https://community.splunk.com/t5/Getting-Data-In/Splunk-AWS-Blacklist-on-AccountID-Splunk-Cloud/m-p/582725#M102665 <P>Technically that works on on-prem unless the add-on is shared across multiple users in Splunk cloud.&nbsp;</P> Thu, 27 Jan 2022 11:10:54 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-AWS-Blacklist-on-AccountID-Splunk-Cloud/m-p/582725#M102665 venkatasri 2022-01-27T11:10:54Z