Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk AWS Blacklist on AccountID - Splunk Cloud

SplunkJ1
Loves-to-Learn Lots
‎01-24-2022 04:00 PM

Hi, I am currently using the AWS Add-on for Splunk, and am looking to see if I can blacklist based on regex other than the applications UI for blacklisting based on eventnames. (using the blacklist method provided by the app: https://docs.splunk.com/Documentation/AddOns/latest/AWS/CloudTrail)

 

I have a central Cloudtrail for all of my accounts and looking to send logs from a certain account to nullque so they are not ingested. The logs do have a field for AccountID. Reason being the specific logs from the account are about 80 percent of my ingestion and are not needed. I saw this article but as mentioned before I am not able to modify these files directly due to being on Splunk Cloud: https://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad#Discard_specific_e...

 

Since I do not have access to modify transform.conf or props.conf.  I was told I could modify the applications .conf files and send a zipped folder of the modified contents for Splunk team to upload and install.

Currently I do have blacklisting implemented on EventNames as this is part of the application.  Is there any guidance on how I can blacklist based on regex such as accountID=(id for account I want to send to nullque)?

Labels (3)
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎01-24-2022 06:32 PM

Hi @SplunkJ1 

May be you shall a create a private app having props , transforms conf having stanzas to send matching accountid events to nullQueue and deploy using this process to the instance where AWS add-on is running already.

You don't need to edit the same .conf files in the add-on , instead you can create a private app having your custom configs for sourcetype aws:cloudtrail. Splunk determines at the run-time and merge all of them together, After installation of private app (UI disabled) in on-prem splunk a restart of HF/Splunk instance is required. In SplunkCloud case you shall check how that works.

Hope this helps!

https://dev.splunk.com/enterprise/docs/releaseapps/manageprivatecloud/

--

An upvote would be appreciated if this reply helps!

0 Karma
Reply

SplunkJ1
Loves-to-Learn Lots
‎01-25-2022 09:02 AM

Ok that is interesting. So if I upload a new app with only a transform, props conf with the exact same stanza (sourcetype) in the official app, it will add the rules for my private app's stanza to the main?

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎01-27-2022 03:10 AM

Technically that works on on-prem unless the add-on is shared across multiple users in Splunk cloud. 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...