Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to limit the amount of data that a splun...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there
I am using Splunk Enterprise for security purposes...
But ther is a lot of extraneous data in my Splunk at the moment. Looking through the dashboards I am finding a lot of performance and operational status data which I don't need. The problem is that my splunk license allows me to analyze 2gb of data in a 24 hour period. I would say that at the moment 70% of the data that goes through the system is not security related and the system was procured as a security monitoring system.
I would like to find a way to reduce the mount of the data that the "forwarders" send back to the Splunk back end for processing. i.e. exclude all of the performance and operational data from the analysis.
My intention is to use that freed up bandwidth to push some Anti Virus and Firewall logs to splunk instead of server performance data.
I would really really appreciate some help with this. I have searched previous questions, but can't seem to find the answer. However, if there is a page you know of where I can find my answer please send me the link 🙂
Kind Regards
Vera
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
You just need to disable the inputs that you dont need, and you will stop receiving that data.
If in the same source, there is performance and security data mixed, then you can use the null queue to avoid indexing the events that matches the patterns you define.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, look at http://docs.splunk.com/Documentation/Splunk/6.0.1/Forwarding/Routeandfilterdatad : "Filter event data and send to queues"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you realsplunk, that document will be useful! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
You just need to disable the inputs that you dont need, and you will stop receiving that data.
If in the same source, there is performance and security data mixed, then you can use the null queue to avoid indexing the events that matches the patterns you define.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much, appreciate your help! 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
