Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to have splunk filter read values externally?

salavi
Observer
a month ago

We want to limit the ingestion of data that is coming from some sources (in this case the value would be in Properties.HostName) because they basically are not working correctly (customer machines) and continue to spam the system. (Turning them off is not an option. ). I know that we can add hardcoded filters such as below:

Name: Serilog:Filter:nn:Args:expression

Value: @p['AssemlyName'] = 'SomeAssembly.xxx.yyy' and @p['HostName'] in ['Spammer1', 'Spammer2', ...]

But the spammers change from time to time and we can generate their list. 

The question is, if I have a list of these spammers (in any form needed) can I somehow use some sort of a value above of some other method to read from that list (in place of the "in [... ]" expression above)? 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
a month ago

Hi @salavi ,

are you speaking of a filter at index or search time?

if at search time, you can put the list in a lookup and use it for the search:

<your_search> [ | inputlookup your_lookup.csv | fields HostName]

you can eventually refresh your lookup  taking values from a scheduled search:

<your_lookup_search>
| dedup HostName
| table HostName
| outputlookup your_lookup.csv

that you can schedule e.g. every hour.

Ciao.

Giuseppe

0 Karma
Reply

salavi
Observer
a month ago

Thanks for your reply. 

No, not in the search. I want to prevent these events (from certain hostnames) to even get ingested into Splunk to begin with. As I mentioned before, we can do this by adding a logging app service setting (on Azure), but it requires listing the hostnames individually. I was hoping there was a way to read from a list instead.  

Currently we are doing something like this. 

salavi_0-1724257010673.png

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a month ago

Are you asking if you can do this on egress in Azure or are you trying to do equivalent thing on ingress in Splunk?

You can do filtering on input, if you use ingest-evals even using lookups (but not in the Cloud).

0 Karma
Reply

salavi
Observer
3 weeks ago

Basically I am trying to find a way to prevent data from certain hostnames to even get ingested into Splunk (cost cutting measure for one thing). 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

The general answer is yes - you can filter out events. The way to do it specific to your need will depend on your precise use case.

Within Splunk you can do it like this

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

If you can filter out in Azure so you simply don't send data to Splunk - even better. But this is out of scope of this forum and you have to ask some experienced Azure admins how to do so.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
a month ago

Hi @salavi ,

at index time, I'm not sure that there isn't any other solution, unless the Splunk Edge Processor will be available.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...