Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Filtering event on splunk fowarder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Here's the situation.
I have an equipement sending 2 kinds of events with UDP syslog to a splunk fowarder and then send it to a splunk server in TCP.
I would like to filter events on the splunk fowarder with the outputs.conf or inputs.conf files by gathering only 1 kind of log.
i'd see this is possible on the splunk server directly but i want to minimize the impact on the bandwidth and not sending useless logs for nothing.
Is there a way to do that via a regex or specific char on the event ?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you read .... http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad
This should get you going? should be fairly simple if you know what you want to exclude
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you read .... http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad
This should get you going? should be fairly simple if you know what you want to exclude
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so they are all just applications that run on top of another platform
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
basically no, Splunk do not have any appliances, the "Heavy" forwarder is simply a regular instance of Splunk that has forwarding enabled... to add some more info a "Light" forwarder is a regular instance of Splunk that has some features disabled such as Splunkweb and indexing. And "Universal" forwarder is a completely stripped down instance of Splunk with no webUI, no python etc. Unfortunately as the docs say unless you simply want to filter on the metadata of host/source/sourcetype, you can not use a light or universal forwarder (i.e. for your event filtering).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well i didn't see this page, thanks.
But i want to do this on a UniversalSplunkFowarder, not a heavy fowarder which is i guess a physical splunk appliance, correct ?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
