Is there a way to blacklist or exclude certain RNA events based on values in the data? Right now I have 3 sensors which I do not want connection event data sent to Splunk. I'm able to send these events to the nullqueue using props.conf/transforms.conf to find the string sensor=sensors1.domain.com but I'd love to be able to filter these out at the eNcore level so they aren't even writen to the log file and processed by Splunk. In the configure it appears as though I can exclude by rec_type but is it possible to exclude by other fields?
There is no field based criteria you can apply to the estreamer configuration.
There is an ugly approach but it has drawbacks. You'd be using syslog instead of estreamer (eNcore) and sending events directly from the sensor. Or you can send syslog from the FMC using correlation rules when the connection event fits a criteria that want. This is very flexible but you overwhelm the FMC is you're dealing with very high rates of connection events.
What sort of connection events are you trying to exclude?
We have a multi-domain setup currently and are wanting to send connection events from 1 of the 3 domains. We'd still like the connection events available in the FMC for all domains for analysis but don't need them in Splunk. If there isn't a clean way to do this in eNcore, no big deal, just thought I'd ask. I'm currently using a simple regex on the heavy forwarder to find the sensor names and sending those events to the sinkhole. So far haven't had any issues.