Limiting ingested fields in Azure Event Hubs

zippo706 · ‎08-10-2020

I"d like to send audit data through an event hub. However, i want my heavy fwd'r to not send all fields to splunk as 75% of is will be useless and take up all my ingesting quota.

Is there an easy way to do this? The data coming in is Azure SQL where i don't beleive i can change data going into the hub.

richgalloway · ‎08-10-2020

If you want to discard entire events, see https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Routeandfilterdatad#Filter_event_data_...

If you want to discard parts of events, use SEDCMD in props.conf.

[mysourcetype]
SEDCMD-winevent = s/This event is generated.*//

---
If this reply helps you, Karma would be appreciated.

zippo706 · ‎08-10-2020

Thanks for the info. can i discard or manipulate fields in an event. I'm going to speak logstash here and mutate to delete "reallybigfieldIdon'tcareabout"

richgalloway · ‎08-10-2020

Yes, you can do that with SEDCMD. It will be on the raw event, however, since fields haven't been extracted when SEDCMD runs.

---
If this reply helps you, Karma would be appreciated.

zippo706 · ‎08-12-2020

Thank you, much appreciated.

Limiting ingested fields in Azure Event Hubs

configuration

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms