Getting Data In

Prevent events with a specfic IP or Workstation name from being ingested.

sswigart
Engager

I use Splunk to ingest events from the windows Security, Application and System event logs. We have a scanner that is very noisy and I would like for Splunk not ingest the events that the scanner creates. 

I have tried without success to use SEDCMD on my indexer's Props.conf:

SEDCMD-Remove_Scanner_IP_Address = s/\b12\.34\.567\.89\b//g

SEDCMD-Remove_Scanner_Host_Name = s/Workstation_Name\s*=\s*scanner-name01\s*//g

I have also tried to blacklist the IP on each of the host's Splunk UF inputs.conf file:

blacklist = 12\.34\.567\.89

Would appreciate any assistance\suggestions given.

 

Labels (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sswigart ,

as also @dtburrows3 said, SED-CMD removes a part of the event, not the entire event.

If you want to remove the full event before indexing see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Forwarding/Routeandfilterdatad#Filter_event_data_...

Ciao.

Giuseppe

0 Karma

dtburrows3
Builder

I believe the SEDCMD in props.conf will only replace the substring that is matched with the specified regex. It sounds like you need to have the entire event containing the matched regex to not be indexed at all.

If that is the case then you could set up a props/transform to route those events to nullQueue.

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...