All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

blacklist/exclude devices or sensors

Kieffer87
Communicator
‎03-06-2018 01:11 PM

Is there a way to blacklist or exclude certain RNA events based on values in the data? Right now I have 3 sensors which I do not want connection event data sent to Splunk. I'm able to send these events to the nullqueue using props.conf/transforms.conf to find the string sensor=sensors1.domain.com but I'd love to be able to filter these out at the eNcore level so they aren't even writen to the log file and processed by Splunk. In the configure it appears as though I can exclude by rec_type but is it possible to exclude by other fields?

0 Karma
Reply

douglashurd
Builder
‎03-28-2018 02:20 PM

There is no field based criteria you can apply to the estreamer configuration.

There is an ugly approach but it has drawbacks. You'd be using syslog instead of estreamer (eNcore) and sending events directly from the sensor. Or you can send syslog from the FMC using correlation rules when the connection event fits a criteria that want. This is very flexible but you overwhelm the FMC is you're dealing with very high rates of connection events.

What sort of connection events are you trying to exclude?

0 Karma
Reply

Kieffer87
Communicator
‎03-29-2018 04:43 AM

We have a multi-domain setup currently and are wanting to send connection events from 1 of the 3 domains. We'd still like the connection events available in the FMC for all domains for analysis but don't need them in Splunk. If there isn't a clean way to do this in eNcore, no big deal, just thought I'd ask. I'm currently using a simple regex on the heavy forwarder to find the sensor names and sending those events to the sinkhole. So far haven't had any issues.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...