topic Re: Filtering event on splunk fowarder in Getting Data In

Filtering event on splunk fowarder

rbw78 — Mon, 03 Sep 2012 14:43:55 GMT

Hello,

Here's the situation.
I have an equipement sending 2 kinds of events with UDP syslog to a splunk fowarder and then send it to a splunk server in TCP.
I would like to filter events on the splunk fowarder with the outputs.conf or inputs.conf files by gathering only 1 kind of log.
i'd see this is possible on the splunk server directly but i want to minimize the impact on the bandwidth and not sending useless logs for nothing.

Is there a way to do that via a regex or specific char on the event ?

Thanks.

Re: Filtering event on splunk fowarder

MHibbin — Mon, 03 Sep 2012 14:51:22 GMT

Have you read .... http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad

This should get you going? should be fairly simple if you know what you want to exclude

Re: Filtering event on splunk fowarder

rbw78 — Tue, 04 Sep 2012 09:26:22 GMT

Well i didn't see this page, thanks.

But i want to do this on a UniversalSplunkFowarder, not a heavy fowarder which is i guess a physical splunk appliance, correct ?

Re: Filtering event on splunk fowarder

MHibbin — Tue, 04 Sep 2012 09:45:58 GMT

basically no, Splunk do not have any appliances, the "Heavy" forwarder is simply a regular instance of Splunk that has forwarding enabled... to add some more info a "Light" forwarder is a regular instance of Splunk that has some features disabled such as Splunkweb and indexing. And "Universal" forwarder is a completely stripped down instance of Splunk with no webUI, no python etc. Unfortunately as the docs say unless you simply want to filter on the metadata of host/source/sourcetype, you can not use a light or universal forwarder (i.e. for your event filtering).

Re: Filtering event on splunk fowarder

MHibbin — Tue, 04 Sep 2012 09:46:31 GMT

so they are all just applications that run on top of another platform