Hello,
I currently have a Splunk universal forwarder on a few of my windows servers. The UF config is received by my Splunk deployment server. I have .exe processes that are currently utilizing much of my license and would like to disable Splunk from indexing those processes.
All .exe processes I want to ignore are in the c:\Program Files (x86)\Camera System Center 6* subdirectory. I included * for all of them.
Would I just add something like below to the universal forwarder config file in the deployment server to achieve my goal?
(Pound sign here#) Disable Camera Process Monitoring
[monitor:c:\Program Files (x86)\Camera System Center 6\*]
disabled = 1
Thank you!
You will need to nullqueue these events.
These look like process monitoring events, so dropping just the events with your noisy process is the way to go.
I am going to assume these arrive with the sourcetype=proccess_logs.
I am also going to assume that whilst you have version 5.7 installed today it could be 6.0 in the future.
On your HF, or Indexers (whichever occurs first in the Splunk event flow path)
props.conf
[proccess_logs]
TRANSFORMS-drop_cctv_events=drop_cctv_events
transforms.conf
[drop_cctv_events]
REGEX=ProcessName\=.+camera\ssystem\scenter\s\d\.\d\\camerasystem\.exe
DEST_KEY=queue
FORMAT=nullQueue
This will only apply for data arriving from the time of the change, but this should prevent these logs being indexed in the future.
Disabling an input turns off processing of the stanza. It's not the same as "don't ever read files matching this pattern". For that you want the blacklist
attribute.
Hi @mysicksi,
you have to insert in inputs.conf that takes these files a blacklist option
blacklist = <regular expression>
* If set, files from this input are NOT monitored if their path matches the
specified regex.
* Takes precedence over the deprecated '_blacklist' setting, which functions
the same way.
* If a file matches the regexes in both the blacklist and whitelist settings,
the file is NOT monitored. Blacklists take precedence over whitelists.
* No default.
for more infos see at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#Blacklist
In your case:
blacklist = c:\\Program Files \(x86\)\\Camera System Center 6
Otherwise, you can filter these logs on Indexers (or Heavy Forwarders when present) as described at https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad#Filter_event_data_... .
Ciao.
Giuseppe
Hello,
Thank you for the detailed response. It still did not work. I am actually using 5.7, so not sure if that broke your Regex.
Here is one of the events I searched that I would like to have ignored and not make it to my search head:
index="windows" ProcessName="c:\program files (x86)\camera system center 5.7\camerasystem.exe"
AddressFamily=ipv4
AddressFamilyId=2
PacketType=transport
PacketTypeId=2
Direction=outbound
Protocol=TCP
ProtocolId=6
LocalAddress=
LocalPort=5500
RemoteHostName=
RemoteAddress=
RemotePort=61439
ProcessName="c:\program files (x86)\camera system center 5.7\camerasystem.exe"
UserName="nt authority\system"
UserSid=s-1-5-18
UserId=0-0
HeaderSizeBytes=0
IPsecProtected=0
TransportHeaderSizeBytes=0
What kind of logs are these - splunk will not index executable files, so I am not clear what you are trying to reduce.
Do you mean you are seeing a large number of events for this process in your winevent logs, or is this in some other sourcetype?
Can you post an example of the logs you want to ignore?
Here is one of the events I searched:
index="windows" ProcessName="c:\program files (x86)\camera system center 5.7\camerasystem.exe"
AddressFamily=ipv4
AddressFamilyId=2
PacketType=transport
PacketTypeId=2
Direction=outbound
Protocol=TCP
ProtocolId=6
LocalAddress=
LocalPort=5500
RemoteHostName=
RemoteAddress=
RemotePort=61439
ProcessName="c:\program files (x86)\camera system center 5.7\camerasystem.exe"
UserName="nt authority\system"
UserSid=s-1-5-18
UserId=0-0
HeaderSizeBytes=0
IPsecProtected=0
TransportHeaderSizeBytes=0