Getting Data In

100% use of my events.

lufermalgo
Path Finder

Hello community.

I have a query and I don't know if what I'm thinking can be achieved and how or if Splunk already has a way to solve my question.

My question is:
How to know how many bytes and fields extracted from my events in a particular index I am taking advantage of in searches?

I would like to be able to identify if I am indexing more than what is really useful for my dashboards.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @lufermalgo,
I think that the only way to understand if all the indexed logs (or which part of them) are useful for you is to analyze informations in your logs: fields, messages, etc...

Analyzyng this, you can understand if there are events without useful informations and then exclude them before indexing using regexes.
An example to understand: if you need to know only accesses to windows servers, you need only few EventCodes (4624, 4625, 4634, etc...) so you could exclude events e.g. with EventCode=4688 (A new process has been created).

There are two methids to filter events: you can take only some interesting events and discard the others or discard only unuseful events and take all the other events.

The way to filter events is described at https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_...

Ciao.
Giuseppe

0 Karma

to4kawa
SplunkTrust
SplunkTrust
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!