All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to disable logging on the Cisco eStreamer for Splunk app?

responsys_cm
Builder
‎12-09-2016 02:01 PM

The eStreamer input generates like 300 MB of log files per day. Is there any way to disable that logging?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-10-2016 12:46 AM

Hi responsys_cm,
to disable eStreamer input, you have to disable Splunk inputs for this App, there are two ways:

  • You can do it by web interface [Settings -- Inputs], find eStreamer inpus and disable them;
  • modify $SPLUNK_HOME/etc/apps/eStreamer/local/inputs.conf, inserting "disabled=1" where "disabled=0" and restart Splunk, if this file doesn't exist, copy it from SPLUNK_HOME/etc/apps/eStreamer/default.

If you receive also logs using syslog, remember to disable this in your CISCO interface.

Bye.
Giuseppe

0 Karma
Reply

responsys_cm
Builder
‎12-10-2016 01:38 PM

My goal isn't to disable the input. The input generates log files on its operations as well as indexing data from FireSIGHT. I want the FireSIGHT data, but not the hundreds of megs of the inputs operational logs...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-10-2016 02:55 PM

you have to chose the logs you want to discard, find the correct regex and then filter your data using the regex:
(http://docs.splunk.com/Documentation/Splunk/6.5.1/Forwarding/Routeandfilterdatad)
props.conf

 [your_sourcetype]
 TRANSFORMS-null= setnull

transforms.conf

 [setnull]
 REGEX = your_regex
 DEST_KEY = queue
 FORMAT = nullQueue

and restart Splunk

bye.
Giuseppe

0 Karma
Reply

responsys_cm
Builder
‎12-11-2016 03:30 PM

These logs aren't being ingested by Splunk. They are logs that the eStreamer script generates. They consume hundreds of megs a day.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-11-2016 10:41 PM

Sorry, I don't know eStreamer and i don't know how to disable log!
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...