Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I exclude log from sending to Splunk to save quota?

hakusama1024
New Member
‎08-30-2018 11:56 AM

Hi guys.

I have daily quota for 3G. but the log is too much.
So, I'm trying to exclude some logs, like heart beat, to send to Splunk to save some usage.
I'm trying to use Splunk Filter Rules:
-> Exclude Patterns

Some keywords I clicked exclude.
But, i still am able to see these words when i search on Splunk.
Can anyone help? Thanks.

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎08-31-2018 04:00 PM

hi @hakusama1024 ,

Did @pyro_wood 's answer solve your problem? If so, please resolve this post by approving one of them. If not, keep us updated so that someone else can help solve your problem.

Also, if you're feeling generous, give out an upvote to the user that helped ya. 🙂

0 Karma
Reply

horsefez
Motivator
‎08-30-2018 12:43 PM

Hi @hakusama1024,

I'm not really sure what you mean by "Exclude Patterns", but I can tell you about two ways to filter data before it gets indexed.

Either you filter data at the source, which is the best option, because it doesn't generate additional log traffic:
If you have a Universal Forwarder installed on a Linux System for example and you want to monitor all the files in /var/log/messages/ you could try to specify what particular files out of this file system you are interested in, by splitting up your single monitoring stanza into multiple stanzas.

Or, if granular filtering at the source doesn't work you can filter at Indexer level (also at HF level).
So you could actually filter out and throw away data that is matched via regular expression and avoid it getting indexed.

I have a very good splunk answer from @lguinn here:
https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html

This should help you understand how it can be done.

If you give us additional information about the logfiles you want to filter out, we can assist you further.

0 Karma
Reply

sudosplunk
Motivator
‎08-30-2018 12:25 PM

Hello,

The heart beat messages - Are you referring to messages from one splunk component to other? Because, splunk licensing doesn't count towards _internal logs. If not, please provide some sample events.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...