Solved: Why is my Splunk Cloud index filling up with spuri...

davidsykes · ‎03-29-2018

I am currently evaluating Splunk Cloud for analyzing application logs which we are collecting in Azure Blob Storage.

I have the Splunk Add-On for Microsoft Cloud Services installed. I currently have a single Storage Account configured, with a single Input using that account. I have not configured any Office 365, or any other account or connector. But I am seeing thousands and thousands of meaningless events of sourcetype="ms:o365:management":

Where are they coming from?

How can I stop them being indexed?

How can I delete them all once I have stopped them being collected?

Any help would be greatly appreciated.

davidsykes · ‎03-29-2018

It turns my trial Splunk Cloud instance included both Eventgen and Splunk Reference App - PAS, both of which are intended for app developers and were generating a very large number of events, which were of course no interest to me.

Thanks to both jconger and ragedsparrow for pointing me to the source of the events, which led me to figuring out how to disable those apps.

View solution in original post

davidsykes · ‎03-29-2018

It turns my trial Splunk Cloud instance included both Eventgen and Splunk Reference App - PAS, both of which are intended for app developers and were generating a very large number of events, which were of course no interest to me.

Thanks to both jconger and ragedsparrow for pointing me to the source of the events, which led me to figuring out how to disable those apps.

ragedsparrow · ‎03-29-2018

What is the source of the data?

sourcetype="ms:o365:management" | stats count by source

This may give some indication on what input is generating the data.

davidsykes · ‎03-29-2018

Thanks for the reply. It appears the source is eventgen. Looking this up on Splunkbase makes me think this is for generating test data and is definitely something I do not need.

I will go and disable and/or delete it, if I can figure out how.

ragedsparrow · ‎03-29-2018

You can go to the app location:

$SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/default

Once you are there, delete eventgen.conf and restart Splunk.

That should take care of it. The caveat to that is that you will need to delete it again if you update the app later on.

davidsykes · ‎03-29-2018

How do I access that in Splunk Cloud?

ragedsparrow · ‎03-29-2018

You should be able to disable the Eventgen app under the Manage Apps section. On the upper left, you should see the Manage Apps listed in the Apps drop down. You should be able to disable the Eventgen app there.

You can also access it by going to:

/en-US/manager/launcher/apps/local

example: https://mysplunkinstance.com:8000/en-US/manager/launcher/apps/local

jconger · ‎03-29-2018

Perhaps a Heavy Forwarder is sending this data in to your Splunk Cloud environment. Click the Hosts tab to see which hosts are sending data, or use a search like below:

sourcetype=ms* |  stats count by host sourcetype

davidsykes · ‎03-29-2018

Thanks for your reply. All of the ms* source types are coming from 127.0.0.1. I am not sure I know exactly what a "Heavy Fowarder" is (I am new to Splunk), but from context I don't think they would show as coming from the localhost, right?

davidsykes · ‎03-29-2018

I will edit the original question to include this information.

davidsykes · ‎03-29-2018

Ok, seems I can't edit my question any more. Oh well.

Why is my Splunk Cloud index filling up with spurious events from ms:o365:management?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life