Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can Splunk Cloud filter out events without an on-prem Heavy Forwarder?

stefanovalentin
New Member
‎06-03-2019 05:25 AM

Is it possible to implement event filtering (and/or routing) in a managed Splunk Cloud deployment without the usage of an on-prem Heavy Forwarder?

The scenario is:
- Running a managed Splunk Cloud instance
- Need to ingest AWS Cloudtrail logs (preferably using the "AWS Add-on" app and configure a SQS-Based S3 input)
- Need to filter out the majority of Cloudtrail events before they hit the Index and so impact the license
- (Critical requirement) Need to avoid "external" self-managed components like Heavy Forwarders (main reason to get a managed Cloud instance)

If the answer is no, I am also open to other suggestions.

Note: I am aware that AWS Add-on allows to setup a "Generic S3" input for Cloudtrail that implements "in-line" event blacklisting. Unfortunately this is not an option in my scenario as the input type is way too heavy on S3 operations.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-04-2019 06:52 AM

Hi @stefanovalentino,

Yes, you can do that with below props and transforms.conf configuration. You need to put this on Indexer on Cloud instance. This configuration will stop the event from indexing on the indexer.

props.conf
[<source/sourcetype/host on which you want to filter the events>]
TRANSFORMS-filter_events = filter_events_tr

transforms.conf
[filter_events_tr]
REGEX = <regex which defined which events to be filtered out from _raw>
DEST_KEY = queue
FORMAT = nullQueue

Hope this helps!!!

Reply

stefanovalentin
New Member
‎06-04-2019 07:03 AM

Thank you @VatsalJagani !

Follow-up question - what's the best way to manage props/transform files in a Cloud instance? I have heard you can manage those through vetted apps, but the process of updating an app through Splunk support can be tedious and slow sometimes...

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-04-2019 09:33 PM

@stefanovalentino - No, In Splunk cloud, the only way is that you ask the support team to put these configurations. As this requires backend access. Even if there would have been a way, I would have recommend that you go through Cloud support team.

0 Karma
Reply

ColinJacksonPS
Path Finder
‎06-22-2021 02:07 PM

I've been trying to figure this one out, but Splunk Cloud basically said to make a custom app to get this to work. Barebones app, AppInspect, Failed vetting. 
No app.conf, random /tmp/<blah blah> directory errors. It's a mess. 

tl;dr - you can't send them a conf file and say, "please install this"

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...