Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Don't Index Certain Data

Kyle_Brandt
Path Finder
‎02-24-2011 04:41 PM

I have turned on security auditing temporarily in Windows and because of this have exceeded my indexing limit.

I was told when purchasing Splunk that you can prevent certain data from being index with filters to prevent this from happening.

How do I create one of these filters?

Tags (2)
0 Karma
Reply

csparling
New Member
‎05-24-2013 12:39 AM

Is it also possible to not index certain data if you're not using a forwarder? Our setup is pretty simple in that we only have a single Splunk instance running without any forwarding. I've tried a number of times to set up Splunk to drop data based on the client IP by following the steps outlined but not having any luck!

0 Karma
Reply

ziegfried
Influencer
‎02-24-2011 04:45 PM

You can find the relevant documentation here: http://www.splunk.com/base/Documentation/4.1.7/Admin/Routeandfilterdata

You need to send those events to the nullQueue via transforms.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎02-24-2011 10:53 PM

This should help with the "which files" queston: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F but pretty much if you're using LWF, you filter on the indexer.

0 Karma
Reply

Kyle_Brandt
Path Finder
‎02-24-2011 04:54 PM

At zeigfried, any chance you could spoonfeed me an example for for wineventlog:security coming in via a light forwarder from certain hosts? Also confused about which props / trans files I should be editing...

0 Karma
Reply
Get Updates on the Splunk Community!

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Are you ready to uncover the threats hiding in plain sight? Join us for "Print, Leak, Repeat: UEBA Insider ...

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...