Hello all,
I have recently set up Splunk to monitor /var/log/messages.
There is one event in this log that I would like to exclude.
The event itself really does not matter.
I would just like to know how I can keep certain types of data
from getting into Splunk, without ignoring the files which the data comes from.
Please help.
We have an outside scanning agency that is constantly doing nmap like scans of our external perimeter. It is generating a log of log data on the perimeter CISCO firewalls. We know the IPs that the scanning is coming from; is there a way to tell the forwarders to NOT forward that log data from the firewalls for those IPs?
Thanks for any insights on this. Our Splunk SME are looking at CRIBL to do this but reading this thread makes me believe there are configuration settings that might address this?
V/R
Bob M.
@neophyte01, you can use nullQueue
for this using transforms.conf
and props.conf
Refer to documentation: http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_e...
@niketnilay thanks. I believe this is what I need.
@neophyte01, I have converted to answer. Please accept if your issue is resolved.
And this will be configured on Indexer/Heavy forwarder, one to which your universal forwarder sends data to.