topic Re: Is there a way to have splunk filter read values externally? in Getting Data In

Is there a way to have splunk filter read values externally?

salavi — Tue, 20 Aug 2024 22:01:58 GMT

We want to limit the ingestion of data that is coming from some sources (in this case the value would be in Properties.HostName) because they basically are not working correctly (customer machines) and continue to spam the system. (Turning them off is not an option. ). I know that we can add hardcoded filters such as below:

Name: Serilog:Filter:nn:Args:expression

Value: @p['AssemlyName'] = 'SomeAssembly.xxx.yyy' and @p['HostName'] in ['Spammer1', 'Spammer2', ...]

But the spammers change from time to time and we can generate their list.

The question is, if I have a list of these spammers (in any form needed) can I somehow use some sort of a value above of some other method to read from that list (in place of the "in [... ]" expression above)?

Re: Is there a way to have splunk filter read values externally?

gcusello — Wed, 21 Aug 2024 06:04:44 GMT

Hi @salavi ,

are you speaking of a filter at index or search time?

if at search time, you can put the list in a lookup and use it for the search:

<your_search> [ | inputlookup your_lookup.csv | fields HostName]

you can eventually refresh your lookup taking values from a scheduled search:

<your_lookup_search> | dedup HostName | table HostName | outputlookup your_lookup.csv

that you can schedule e.g. every hour.

Ciao.

Giuseppe

Re: Is there a way to have splunk filter read values externally?

salavi — Wed, 21 Aug 2024 16:17:12 GMT

Thanks for your reply.

No, not in the search. I want to prevent these events (from certain hostnames) to even get ingested into Splunk to begin with. As I mentioned before, we can do this by adding a logging app service setting (on Azure), but it requires listing the hostnames individually. I was hoping there was a way to read from a list instead.

Currently we are doing something like this.

Re: Is there a way to have splunk filter read values externally?

gcusello — Thu, 22 Aug 2024 05:53:05 GMT

Hi @salavi ,

at index time, I'm not sure that there isn't any other solution, unless the Splunk Edge Processor will be available.

Ciao.

Giuseppe

Re: Is there a way to have splunk filter read values externally?

PickleRick — Thu, 22 Aug 2024 07:33:50 GMT

Are you asking if you can do this on egress in Azure or are you trying to do equivalent thing on ingress in Splunk?

You can do filtering on input, if you use ingest-evals even using lookups (but not in the Cloud).

Re: Is there a way to have splunk filter read values externally?

salavi — Mon, 26 Aug 2024 18:17:29 GMT

Basically I am trying to find a way to prevent data from certain hostnames to even get ingested into Splunk (cost cutting measure for one thing).

Re: Is there a way to have splunk filter read values externally?

PickleRick — Mon, 26 Aug 2024 18:30:22 GMT

The general answer is yes - you can filter out events. The way to do it specific to your need will depend on your precise use case.

Within Splunk you can do it like this

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

If you can filter out in Azure so you simply don't send data to Splunk - even better. But this is out of scope of this forum and you have to ask some experienced Azure admins how to do so.