Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filtering event on splunk fowarder

rbw78
Communicator
‎09-03-2012 07:43 AM

Hello,

Here's the situation.
I have an equipement sending 2 kinds of events with UDP syslog to a splunk fowarder and then send it to a splunk server in TCP.
I would like to filter events on the splunk fowarder with the outputs.conf or inputs.conf files by gathering only 1 kind of log.
i'd see this is possible on the splunk server directly but i want to minimize the impact on the bandwidth and not sending useless logs for nothing.

Is there a way to do that via a regex or specific char on the event ?

Thanks.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MHibbin
Influencer
‎09-03-2012 07:51 AM

Have you read .... http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad

This should get you going? should be fairly simple if you know what you want to exclude

View solution in original post

Reply
Solved! Jump to solution
Solution

MHibbin
Influencer
‎09-03-2012 07:51 AM

Have you read .... http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad

This should get you going? should be fairly simple if you know what you want to exclude

Reply
Solved! Jump to solution

MHibbin
Influencer
‎09-04-2012 02:46 AM

so they are all just applications that run on top of another platform

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎09-04-2012 02:45 AM

basically no, Splunk do not have any appliances, the "Heavy" forwarder is simply a regular instance of Splunk that has forwarding enabled... to add some more info a "Light" forwarder is a regular instance of Splunk that has some features disabled such as Splunkweb and indexing. And "Universal" forwarder is a completely stripped down instance of Splunk with no webUI, no python etc. Unfortunately as the docs say unless you simply want to filter on the metadata of host/source/sourcetype, you can not use a light or universal forwarder (i.e. for your event filtering).

Reply
Solved! Jump to solution

rbw78
Communicator
‎09-04-2012 02:26 AM

Well i didn't see this page, thanks.

But i want to do this on a UniversalSplunkFowarder, not a heavy fowarder which is i guess a physical splunk appliance, correct ?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...