Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk AWS Blacklist on AccountID - Splunk Cloud

SplunkJ1
Loves-to-Learn Lots
‎01-24-2022 04:00 PM

Hi, I am currently using the AWS Add-on for Splunk, and am looking to see if I can blacklist based on regex other than the applications UI for blacklisting based on eventnames. (using the blacklist method provided by the app: https://docs.splunk.com/Documentation/AddOns/latest/AWS/CloudTrail)

 

I have a central Cloudtrail for all of my accounts and looking to send logs from a certain account to nullque so they are not ingested. The logs do have a field for AccountID. Reason being the specific logs from the account are about 80 percent of my ingestion and are not needed. I saw this article but as mentioned before I am not able to modify these files directly due to being on Splunk Cloud: https://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad#Discard_specific_e...

 

Since I do not have access to modify transform.conf or props.conf.  I was told I could modify the applications .conf files and send a zipped folder of the modified contents for Splunk team to upload and install.

Currently I do have blacklisting implemented on EventNames as this is part of the application.  Is there any guidance on how I can blacklist based on regex such as accountID=(id for account I want to send to nullque)?

Labels (2)
Labels
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎01-24-2022 06:32 PM

Hi @SplunkJ1 

May be you shall a create a private app having props , transforms conf having stanzas to send matching accountid events to nullQueue and deploy using this process to the instance where AWS add-on is running already.

You don't need to edit the same .conf files in the add-on , instead you can create a private app having your custom configs for sourcetype aws:cloudtrail. Splunk determines at the run-time and merge all of them together, After installation of private app (UI disabled) in on-prem splunk a restart of HF/Splunk instance is required. In SplunkCloud case you shall check how that works.

Hope this helps!

https://dev.splunk.com/enterprise/docs/releaseapps/manageprivatecloud/

--

An upvote would be appreciated if this reply helps!

0 Karma
Reply

SplunkJ1
Loves-to-Learn Lots
‎01-25-2022 09:02 AM

Ok that is interesting. So if I upload a new app with only a transform, props conf with the exact same stanza (sourcetype) in the official app, it will add the rules for my private app's stanza to the main?

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎01-27-2022 03:10 AM

Technically that works on on-prem unless the add-on is shared across multiple users in Splunk cloud. 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...