Getting Data In

How do I limit what kind of events go into Splunk to avoid daily license limit?

New Member

Hi everyone,

As the title suggests I was wondering if I can filter the logs that go into Splunk to avoid the daily volume limit. Our catalina logs show a lot of junk, and we only want the good stuff. Letting it index all of it would easily go over the limit.

I looked in the documentations, and it says that I can configure routing and filtering ONLY on a heavy forwarder, not a universal one.

If this is the case, then I should point all my uniForwarders to the heavy forwarder to do the filtering right?

Does sending traffic to nullQueue prevent the daily volume from going up? or does it still take it?

0 Karma
1 Solution

Builder

@rung8 : you don't have to point all your forwarders to a heavy forwarder, you can filter the unwanted data via nullQueue on the indexers as well, and they are not counted against your license volume(nullQueue process happens during the parsing phase of the pipeline)
Hope this splunk docs will give you an idea...
http://docs.splunk.com/Documentation/Splunk/7.2.1/Forwarding/Routeandfilterdatad#Filtereventdataandsendtoqueues
http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Configurationparametersandthedatapipeline#Ho...configurationparameterscorrelatetophasesofthepipeline

View solution in original post

Splunk Employee
Splunk Employee

@prakash007 is correct in his comment. I would caution you when filtering out data however. Sometimes we don't know what we don't know, so be careful to be very specific on your regex when filtering. I have seen several customers who have inadvertently filtered out things that they didn't intend to.

0 Karma

Ultra Champion

And other's that use the searches from that data point draw conclusions on incomplete data sets...

0 Karma

Builder

@rung8 : you don't have to point all your forwarders to a heavy forwarder, you can filter the unwanted data via nullQueue on the indexers as well, and they are not counted against your license volume(nullQueue process happens during the parsing phase of the pipeline)
Hope this splunk docs will give you an idea...
http://docs.splunk.com/Documentation/Splunk/7.2.1/Forwarding/Routeandfilterdatad#Filtereventdataandsendtoqueues
http://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Configurationparametersandthedatapipeline#Ho...configurationparameterscorrelatetophasesofthepipeline

View solution in original post