Prevent events with a specfic IP or Workstation na...

sswigart · ‎06-10-2024

I use Splunk to ingest events from the windows Security, Application and System event logs. We have a scanner that is very noisy and I would like for Splunk not ingest the events that the scanner creates.

I have tried without success to use SEDCMD on my indexer's Props.conf:

SEDCMD-Remove_Scanner_IP_Address = s/\b12\.34\.567\.89\b//g

SEDCMD-Remove_Scanner_Host_Name = s/Workstation_Name\s*=\s*scanner-name01\s*//g

I have also tried to blacklist the IP on each of the host's Splunk UF inputs.conf file:

blacklist = 12\.34\.567\.89

Would appreciate any assistance\suggestions given.

gcusello · ‎06-11-2024

Hi @sswigart ,

as also @dtburrows3 said, SED-CMD removes a part of the event, not the entire event.

If you want to remove the full event before indexing see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Forwarding/Routeandfilterdatad#Filter_event_data_...

Ciao.

Giuseppe

dtburrows3 · ‎06-10-2024

I believe the SEDCMD in props.conf will only replace the substring that is matched with the specified regex. It sounds like you need to have the entire event containing the matched regex to not be indexed at all.

If that is the case then you could set up a props/transform to route those events to nullQueue.

Prevent events with a specfic IP or Workstation name from being ingested.

inputs.conf

props.conf

universal forwarder

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?