topic Splunkstream disable specified protocol in Getting Data In

Splunkstream disable specified protocol

elend — Mon, 14 Jul 2025 16:52:49 GMT

Currently I have setup Splunkstream, but there is a condition where I want to disable some data sources from certain protocols because they consume licenses. Is this possible? my case is i want to disable the stream:udp sourcetype. when i investigating the data it still come from source stream:ES_UDP_RAW.

Re: Splunkstream disable specified protocol

PickleRick — Mon, 14 Jul 2025 18:46:56 GMT

You might simply filter out UDP on the OS level so that you don't "filter out" the events but simply don't generate them because you don't see this traffic.

But ask yourself is it what you want. Since you're capturing network data it seems you want network visibility. But now you deliberately want to lose some of this visibility...

Re: Splunkstream disable specified protocol

livehybrid — Mon, 14 Jul 2025 22:01:58 GMT

Hi @elend

Splunk stream supports using Berkeley Packet Filter strings to filter out traffic in your streamfwd.conf file.

Something like:

[streamfwd] streamfwdcapture.0.filter = not udp

For more details check out https://docs.splunk.com/Documentation/StreamApp/8.1.0/DeployStreamApp/ForwarderParameters#:~:text=N%3E.port%20%3D%20443-,Use%20streamfwdcapture%20to%20specify%20network%20interfaces,-By%20default%2C

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Splunkstream disable specified protocol

elend — Tue, 15 Jul 2025 07:54:18 GMT

i'll try this one next.

Re: Splunkstream disable specified protocol

elend — Tue, 15 Jul 2025 07:56:03 GMT

yeah, but for now just want to know if it able to disable from the stream conf. I know its better for the full visibility, but again beside because the license limits, also want to know the posibilities.