Getting Data In

Can I restrict the log ingestion when the index capacity reaches its limit on per day basis?

mala_splunk_91
Explorer

Hi, 

In Splunk cloud, Can I restrict the log ingestion when the index capacity reaches its limit on per day basis?

I have logs which is exceeding its indexing capacity on certain days. Is there any way I can block ingestion if the capacity reaches its threshold?

Also, I have another question, Is it possible for me to edit the configuration files to filter logs or send it null queue on the Splunk cloud?

If I want to create custom app to do so. Please share me any related documents to follow.

Thanks, 

Mala Sundaramoorthy

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mala_splunk_91,

as @VatsalJagani said, there isn't any automatic way to do this.

Obviously you can create an alert that fires when you're reaching e.g. the 50% at midday or the 80% at 5 PM.

So you can turn off some input when the alert fires, but not automatically.

Maybe it's  possible having Phantom, but I never tried.

about configurations, you can modify them only by interface on Splunk Cloud.

It's easier if you have to take on-premise logs using Forwarders, but anyway, always in manual mode not automatically.

About the way to create a custom App, it's a very easy App:

It will be easier when the data Stream Processor will be available (https://docs.splunk.com/Documentation/DSP/1.3.0/User/Filter).

Ciao.

Giuseppe

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@mala_splunk_91 

 

I hope this helps!!!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...