Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Blacklist Dynamically when alert it thrown

robertlynch2020
Motivator
‎08-24-2020 03:32 AM

Hi

We have an issue that sometimes we get very large files or a host produces too much data and we need to stop it coming in. By the time we notice too much "bad data" has been sent.

Is it possible to dynamically stop the data via forwarder or via indexers or "somehow" when an alert is thrown?

Thanks in advance

Robert

 

0 Karma
Reply

rnowitzki
Builder
‎08-24-2020 06:49 AM

Hi @robertlynch2020 ,

Not sure if this is a good idea in your environment, but you could probably write a wrapper script that stops the forwarder and in the alert use the Trigger Action "run a script" that calls this script.

The problem i see is, that you would sometimes trigger this alert when there a lot of "good" events, so just a peak in "normal" events.  

Maybe you can combine the amount of events with some strings that are unique for the "bad" events and only trigger the alert when both is true.

Hope it gives you an idea.

BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply

robertlynch2020
Motivator
‎08-31-2020 04:55 AM

Hi

Thanks for the replay. In the end, we are going to try and use a transform to cut out the bad data.

 

Cheers

Rob

0 Karma
Reply

anm_mporter
Explorer
‎08-31-2020 08:49 AM

if you go down this path, make your life easier with a scripted alert action on your deployment server and an app for the transforms. It will automate deployment to the parsing nodes, and gives you some flexibility about where this filtering is applied.

Basic algorithm:

1. Search for high volume

2. Trigger update alert script

3. Update app in deployment-apps: append to transform REGEX with offending data: just keep adding |NEW PATTERN on the end of the REGEX. If you only care about hosts then use [HOST::*] in props and SOURCE= MetaData:Host in your transform

4. Restart Splunk on deployment server. This is generally easier than trying to login from scripts. You can also trying doing this via REST API: https://docs.splunk.com/Documentation/Splunk/8.0.5/RESTREF/RESTsystem#server.2Fcontrol.2Frestart

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...