Getting Data In

How can I filter logs from being indexed in Splunk Cloud

eddiemashayev
Path Finder

Hey all,

I want to filter logs before they are being indexed in Splunk Cloud for example, I want to filter all logs with host="test*"

How can I do that in Splunk Cloud?

0 Karma

woodcock
Esteemed Legend

You need to create an app for your Indexers to send the selected events to nullQueue then you need to open a support case to submit it to for vetting, which can take a while, but it is getting better.

0 Karma

eddiemashayev
Path Finder

Why this is so complicated? Just want to filter logs before indexing, it should be very simple. Are you sure there is no other way?

0 Karma

eddiemashayev
Path Finder

I didn't find in Splunk App for existing application which do the same. Maybe there is some app that have this functionality?

0 Karma

woodcock
Esteemed Legend

You are overestimating what is an app; it is just a package of configuration files. Create your files, package them as an app, submit them by case to be installed on your indexers.

0 Karma

eddiemashayev
Path Finder

Thanks for clarification.
I do see many documentation on how to do it on premise, but I'm working on Splunk Cloud and I can't access to the instance to change /opt/Splunk files.

Do you know for any good documentation for Splunk Cloud?

0 Karma

prakash007
Builder

You can discard the data via nullQueue on your Intermediate/Heavy forwarder...

http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

0 Karma

eddiemashayev
Path Finder

Thanks for the reply. But I specify it few time in my question and bolded it even. I need solution in Splunk Cloud not in the level of UF or HF(Heavy forwarder).

0 Karma

prakash007
Builder

I guess it should be enabled with props and transforms on the indexers in Splunk Cloud(may be a support ticket)

https://www.youtube.com/watch?v=RJAaTyFHKeo&index=1&list=PL7zWAA-DF0k9xVLrl1j-lk2F74Ge3EgCZ

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...