All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

blacklist/exclude devices or sensors

Kieffer87
Communicator
‎03-06-2018 01:11 PM

Is there a way to blacklist or exclude certain RNA events based on values in the data? Right now I have 3 sensors which I do not want connection event data sent to Splunk. I'm able to send these events to the nullqueue using props.conf/transforms.conf to find the string sensor=sensors1.domain.com but I'd love to be able to filter these out at the eNcore level so they aren't even writen to the log file and processed by Splunk. In the configure it appears as though I can exclude by rec_type but is it possible to exclude by other fields?

0 Karma
Reply

douglashurd
Builder
‎03-28-2018 02:20 PM

There is no field based criteria you can apply to the estreamer configuration.

There is an ugly approach but it has drawbacks. You'd be using syslog instead of estreamer (eNcore) and sending events directly from the sensor. Or you can send syslog from the FMC using correlation rules when the connection event fits a criteria that want. This is very flexible but you overwhelm the FMC is you're dealing with very high rates of connection events.

What sort of connection events are you trying to exclude?

0 Karma
Reply

Kieffer87
Communicator
‎03-29-2018 04:43 AM

We have a multi-domain setup currently and are wanting to send connection events from 1 of the 3 domains. We'd still like the connection events available in the FMC for all domains for analysis but don't need them in Splunk. If there isn't a clean way to do this in eNcore, no big deal, just thought I'd ask. I'm currently using a simple regex on the heavy forwarder to find the sensor names and sending those events to the sinkhole. So far haven't had any issues.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...