Prevent events with a specfic IP or Workstation na...

sswigart · ‎06-10-2024

I use Splunk to ingest events from the windows Security, Application and System event logs. We have a scanner that is very noisy and I would like for Splunk not ingest the events that the scanner creates.

I have tried without success to use SEDCMD on my indexer's Props.conf:

SEDCMD-Remove_Scanner_IP_Address = s/\b12\.34\.567\.89\b//g

SEDCMD-Remove_Scanner_Host_Name = s/Workstation_Name\s*=\s*scanner-name01\s*//g

I have also tried to blacklist the IP on each of the host's Splunk UF inputs.conf file:

blacklist = 12\.34\.567\.89

Would appreciate any assistance\suggestions given.

gcusello · ‎06-11-2024

Hi @sswigart ,

as also @dtburrows3 said, SED-CMD removes a part of the event, not the entire event.

If you want to remove the full event before indexing see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Forwarding/Routeandfilterdatad#Filter_event_data_...

Ciao.

Giuseppe

dtburrows3 · ‎06-10-2024

I believe the SEDCMD in props.conf will only replace the substring that is matched with the specified regex. It sounds like you need to have the entire event containing the matched regex to not be indexed at all.

If that is the case then you could set up a props/transform to route those events to nullQueue.

Prevent events with a specfic IP or Workstation name from being ingested.

inputs.conf

props.conf

universal forwarder

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk