topic Re: How to stop indexing a specific log for a particular switch in my production environment? in Getting Data In

How to stop indexing a specific log for a particular switch in my production environment?

vineeth10 — Wed, 22 Jun 2016 07:11:08 GMT

Hello,

There is request from my client to stop indexing a specific log for a particular switch in my production.
For ex: I want to stop indexing a log for user login on device 10.xx.xx.xx.
Just for an single device.

Is there any way I can archive this?

Re: How to stop indexing a specific log for a particular switch in my production environment?

shaskell_splunk — Wed, 22 Jun 2016 17:14:04 GMT

Can you clarify how the data is getting into Splunk? Is it coming directly from the switch via Syslog or from a Syslog aggregation point using the Universal Forwarder?

If there's no way to disable the logging directly at the source and you just don't want the data indexed than you can configure Splunk to send the data to the null queue for that source IP address of the device. You do need to validate the IP address is the actual hostname from a Splunk search and if it's not, update the host stanza to the correct hostname for the device.

It's going to be a combination of props and transforms on your indexer(s).

props.conf

[host::10.xx.xx.xx]
TRANSFORMS-null = setnull

transforms.conf

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

Re: How to stop indexing a specific log for a particular switch in my production environment?

vineeth10 — Wed, 22 Jun 2016 17:50:53 GMT

We have pointed the syslog as splunk server.there is no universal forwarder. So if an user login in to the switch i don't want that log should be capture on splunk.

Re: How to stop indexing a specific log for a particular switch in my production environment?

shaskell_splunk — Wed, 22 Jun 2016 18:07:34 GMT

Try the method I've suggested to drop any events coming from that device from being indexed. The key is to make sure you have the correct hostname in the props.conf stanza.

Re: How to stop indexing a specific log for a particular switch in my production environment?

vineeth10 — Sun, 10 Jul 2016 05:48:33 GMT

i tried but it didn't work 😞

Re: How to stop indexing a specific log for a particular switch in my production environment?

spsrasru — Fri, 15 Jul 2016 15:05:46 GMT

Try this

props.conf: (you can replace sourcetype with syslog)

[syslog]
TRANSFORMS-switch = switchFilter

transforms.conf:

[switchFilter]
REGEX = 10.xx.xx.xx
DEST_KEY = queue
FORMAT = nullQueue

Make sure you reload the splunk (https://:8000/debug/refresh) or restart the splunk service after applying the props and tranforms.

Thanks,
Sp

Re: How to stop indexing a specific log for a particular switch in my production environment?

vineeth10 — Fri, 15 Jul 2016 15:41:38 GMT

hope it won't stop entire logs for the particular device, as the intention is not to stop the entire logs but just a specify log from the device.

Re: How to stop indexing a specific log for a particular switch in my production environment?

spsrasru — Fri, 15 Jul 2016 16:23:35 GMT

Never mind. I thought you are trying to stop all the events from particular device. the above configuration i gave is to stop all the events.

shaskell is already gave what you need but to discard specific events and keep the rest:

props:

[host::10.xx.xx.xx]
TRANSFORMS-null= setnull

transforms:

[setnull]
REGEX = string you need to discard
DEST_KEY = queue
FORMAT = nullQueue

Re: How to stop indexing a specific log for a particular switch in my production environment?

masonmorales — Fri, 15 Jul 2016 16:27:58 GMT

@vineeth10 You may want to take a look at this: http://www.georgestarcher.com/splunk-success-with-syslog/