Getting Data In

100% use of my events.

lufermalgo
Path Finder

Hello community.

I have a query and I don't know if what I'm thinking can be achieved and how or if Splunk already has a way to solve my question.

My question is:
How to know how many bytes and fields extracted from my events in a particular index I am taking advantage of in searches?

I would like to be able to identify if I am indexing more than what is really useful for my dashboards.

0 Karma

gcusello
Legend

Hi @lufermalgo,
I think that the only way to understand if all the indexed logs (or which part of them) are useful for you is to analyze informations in your logs: fields, messages, etc...

Analyzyng this, you can understand if there are events without useful informations and then exclude them before indexing using regexes.
An example to understand: if you need to know only accesses to windows servers, you need only few EventCodes (4624, 4625, 4634, etc...) so you could exclude events e.g. with EventCode=4688 (A new process has been created).

There are two methids to filter events: you can take only some interesting events and discard the others or discard only unuseful events and take all the other events.

The way to filter events is described at https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_...

Ciao.
Giuseppe

0 Karma

to4kawa
Ultra Champion
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...