<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Block few logs from some specific hosts in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600430#M104682</link>
    <description>&lt;P&gt;Yes I need help on creating the add-on if I have to apply the first solution&lt;/P&gt;</description>
    <pubDate>Fri, 03 Jun 2022 09:45:34 GMT</pubDate>
    <dc:creator>blbr123</dc:creator>
    <dc:date>2022-06-03T09:45:34Z</dc:date>
    <item>
      <title>How to block few logs from some specific hosts?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600416#M104675</link>
      <description>&lt;P&gt;Hi All,&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;I have around 30 Hosts forwarding logs to splunk.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;I have the below same paths in all the servers&lt;/P&gt;
&lt;P&gt;/data/abc/vault.logs&lt;/P&gt;
&lt;P&gt;/data/abc/vault_audit.logs&lt;/P&gt;
&lt;P&gt;/data/xyz/proxy.logs&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;So I have created an app included inputs with all those above stanzas and pushed the app to all hosts.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;So by default all those hosts are sending the above mentioned logs to splunk.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;But I want 5 servers to send just the below log but not other logs&lt;/P&gt;
&lt;P&gt;&lt;SPAN&gt;/data/xyz/proxy.logs&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;How to achieve this?&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 06 Jun 2022 21:11:16 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600416#M104675</guid>
      <dc:creator>blbr123</dc:creator>
      <dc:date>2022-06-06T21:11:16Z</dc:date>
    </item>
    <item>
      <title>Re: Block few logs from some specific hosts</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600418#M104676</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232545"&gt;@blbr123&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;you have two ways to reach your target:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;the easiest (that I hint) is creating two Add-Ons: one for the 5 hosts with only one input and another one with all the inputs, then you have to deploy the two Add-Ons using two different ServerClasses,&lt;/LI&gt;&lt;LI&gt;If you don't want to have two Add-Ons, you can have only one Add-On and put a filter on your Indexers to delete the other logs coming from the 5 hosts.&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;About the first solution, I think that you don't need any help to create the two Add-Ons and the two ServerClasses, if you need it, please, tell me.&lt;/P&gt;&lt;P&gt;About the second solution, you have to put in your Indexers or (if present) on your Heavy Forwarders the following props.conf&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[host::host1]
TRANSFORMS-null= setnull

[host::host2]
TRANSFORMS-null= setnull

[host::host3]
TRANSFORMS-null= setnull

[host::host4]
TRANSFORMS-null= setnull

[host::host5]
TRANSFORMS-null= setnull&lt;/LI-CODE&gt;&lt;P&gt;and in your transforms.conf:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue&lt;/LI-CODE&gt;&lt;P&gt;as you can read at&amp;nbsp;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.2.6/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.2.6/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues&lt;/A&gt;&lt;/P&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Fri, 03 Jun 2022 09:30:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600418#M104676</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2022-06-03T09:30:13Z</dc:date>
    </item>
    <item>
      <title>Re: Block few logs from some specific hosts</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600421#M104677</link>
      <description>&lt;P class="lia-align-right"&gt;Can't we achieve this mentioning the host details in inputs.conf&lt;/P&gt;&lt;P class="lia-align-right"&gt;Let's say&lt;/P&gt;&lt;P class="lia-align-right"&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="lia-align-right"&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="lia-align-right"&gt;[monitor://data/abc/vault.log]&lt;/P&gt;&lt;P class="lia-align-right"&gt;index=applog&lt;/P&gt;&lt;P class="lia-align-right"&gt;Host=dx096865&lt;/P&gt;&lt;P class="lia-align-right"&gt;By doing this don't I&amp;nbsp; get just the vault.log from just that host?&lt;/P&gt;&lt;P class="lia-align-right"&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 03 Jun 2022 09:36:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600421#M104677</guid>
      <dc:creator>blbr123</dc:creator>
      <dc:date>2022-06-03T09:36:25Z</dc:date>
    </item>
    <item>
      <title>Re: Block few logs from some specific hosts</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600423#M104678</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232545"&gt;@blbr123&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;as I said: you have two choices:&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;two Add-Ons with different inputs.conf to intervene on Forwarders,&lt;/LI&gt;&lt;LI&gt;intervene on Indexers if you want to have only one Add-On.&lt;/LI&gt;&lt;/OL&gt;&lt;P&gt;You cannot put a condition in inputs.conf.&lt;/P&gt;&lt;P&gt;My hint is to have two Add_Ons (solution 1), but also the second solution, as I said, it's an easy to implement solution.&lt;/P&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Fri, 03 Jun 2022 09:41:18 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600423#M104678</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2022-06-03T09:41:18Z</dc:date>
    </item>
    <item>
      <title>Re: Block few logs from some specific hosts</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600424#M104679</link>
      <description>&lt;P class="lia-align-justify"&gt;About second solution,&lt;/P&gt;&lt;P class="lia-align-justify"&gt;We actually don't use transforms much, but work on props based on sourcetypes&lt;/P&gt;&lt;P class="lia-align-justify"&gt;So not sure if this can be achieved just in props&lt;/P&gt;&lt;P class="lia-align-justify"&gt;&amp;nbsp;&lt;/P&gt;&lt;P class="lia-align-justify"&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 03 Jun 2022 09:41:35 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600424#M104679</guid>
      <dc:creator>blbr123</dc:creator>
      <dc:date>2022-06-03T09:41:35Z</dc:date>
    </item>
    <item>
      <title>Re: Block few logs from some specific hosts</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600426#M104680</link>
      <description>&lt;P&gt;Ok then for what purpose the hosts is mentioned in inputs which I saw in some configurations&lt;/P&gt;</description>
      <pubDate>Fri, 03 Jun 2022 09:43:26 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600426#M104680</guid>
      <dc:creator>blbr123</dc:creator>
      <dc:date>2022-06-03T09:43:26Z</dc:date>
    </item>
    <item>
      <title>Re: Block few logs from some specific hosts</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600427#M104681</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232545"&gt;@blbr123&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;what's the problem to use also transforms.conf? it's a part of the solution.&lt;/P&gt;&lt;P&gt;This is the usual method to filter unwanted logs.&amp;nbsp;&lt;/P&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Fri, 03 Jun 2022 09:43:35 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600427#M104681</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2022-06-03T09:43:35Z</dc:date>
    </item>
    <item>
      <title>Re: Block few logs from some specific hosts</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600430#M104682</link>
      <description>&lt;P&gt;Yes I need help on creating the add-on if I have to apply the first solution&lt;/P&gt;</description>
      <pubDate>Fri, 03 Jun 2022 09:45:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600430#M104682</guid>
      <dc:creator>blbr123</dc:creator>
      <dc:date>2022-06-03T09:45:34Z</dc:date>
    </item>
    <item>
      <title>Re: Block few logs from some specific hosts</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600431#M104683</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232545"&gt;@blbr123&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;using the filtering solution, you have only one inputs. conf and the filter (mentioning hosts) is on props.conf on Indexers.&lt;/P&gt;&lt;P&gt;The option "host=your_host" in inputs.conf is used to force the value of host for that data source.&lt;/P&gt;&lt;P&gt;If you don't use it, by default, the host value of that data source is setted to the value of the forwarder you're using (you can find it in $SPLUNK_HOME/etc/system/local/server.conf of the Forwarder).&lt;/P&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Fri, 03 Jun 2022 09:48:13 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600431#M104683</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2022-06-03T09:48:13Z</dc:date>
    </item>
    <item>
      <title>Re: Block few logs from some specific hosts</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600436#M104684</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/232545"&gt;@blbr123&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;I suppose that you're using a Deployment Server to deploy configurations to your Forwarders, tell me if not and anyway, put in mind to use it as soon as possible!&lt;/P&gt;&lt;P&gt;you can find information about how to get data in at&amp;nbsp;&lt;A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/latest/Data/Getstartedwithgettingdatain&lt;/A&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;and&amp;nbsp;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.2.6/Updating/Createdeploymentapps" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.2.6/Updating/Createdeploymentapps&lt;/A&gt;&amp;nbsp;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.2.6/Updating/Updateconfigurations" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.2.6/Updating/Updateconfigurations&lt;/A&gt;&lt;/P&gt;&lt;P&gt;Anyway, you have to create two addons both containing the following folders structure:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;bin&lt;/LI&gt;&lt;LI&gt;default&lt;/LI&gt;&lt;LI&gt;local&lt;/LI&gt;&lt;LI&gt;metadata&lt;/LI&gt;&lt;LI&gt;static&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;in each Add-On put in the default folder app.conf file containing something like this:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[default]

[launcher]
author = you
description = Add-On for all hosts
version = 1.0.0

[package]
check_for_updates = 0

[ui]
is_visible = 0
label = TA-All_Servers&lt;/LI-CODE&gt;&lt;P&gt;obviously changing label and description for each one.&lt;/P&gt;&lt;P&gt;Then put in the local folder of the first (the one for all servers) the following inputs.conf:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[monitor:///data/abc/vault.logs]
disabled = 0
index = your_index
sourcetype = your_sourcetype1

[monitor:///data/abc/vault_audit.logs]
disabled = 0
index = your_index
sourcetype = your_sourcetype2

[monitor:///data/xyz/proxy.logs]
disabled = 0
index = your_index
sourcetype = your_sourcetype3&lt;/LI-CODE&gt;&lt;P&gt;and in the local folder of the second Add-On:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[monitor:///data/xyz/proxy.logs]
disabled = 0
index = your_index
sourcetype = your_sourcetype3&lt;/LI-CODE&gt;&lt;P&gt;Then you have to deploy these two Add-Ons using the Deployment Server, following the instructions at&amp;nbsp;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.2.6/Updating/Updateconfigurations" target="_blank"&gt;https://docs.splunk.com/Documentation/Splunk/8.2.6/Updating/Updateconfigurations&lt;/A&gt;&lt;/P&gt;&lt;P&gt;in few words you have to:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;copy both apps is %SPLUNK_HOME/etc/deployment-apps folder of your Deployment Server,&lt;/LI&gt;&lt;LI&gt;using GUI create a serverclass for the first group of Forwarders adding:&lt;UL&gt;&lt;LI&gt;the IP addresses or the hostnames of the first group servers,&lt;/LI&gt;&lt;LI&gt;the related Add-On to deploy,&lt;/LI&gt;&lt;/UL&gt;&lt;/LI&gt;&lt;LI&gt;then you have to repeat this operation for the second group of servers and Add-On.&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Obviously you had to configure your clients as client of the Deployment Server, if you didn't do it follow the instructiona at the above link.&lt;/P&gt;&lt;P&gt;If you don't want to configure a Deployment Server in your infrastructure (I don't hint this!) you could manually copy the Add-Ons into the related servers in the %SPLUNK_HOME/etc/apps folder, remembering to restart Splunk on each one.&lt;/P&gt;&lt;P&gt;My final hint is to follow a training for Splunk Admin to better understand how to do all these things.&lt;/P&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Fri, 03 Jun 2022 10:08:12 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-block-few-logs-from-some-specific-hosts/m-p/600436#M104684</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2022-06-03T10:08:12Z</dc:date>
    </item>
  </channel>
</rss>

