Hi, I am currently using the AWS Add-on for Splunk, and am looking to see if I can blacklist based on regex other than the applications UI for blacklisting based on eventnames. (using the blacklist method provided by the app: https://docs.splunk.com/Documentation/AddOns/latest/AWS/CloudTrail)
I have a central Cloudtrail for all of my accounts and looking to send logs from a certain account to nullque so they are not ingested. The logs do have a field for AccountID. Reason being the specific logs from the account are about 80 percent of my ingestion and are not needed. I saw this article but as mentioned before I am not able to modify these files directly due to being on Splunk Cloud: https://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad#Discard_specific_e...
Since I do not have access to modify transform.conf or props.conf. I was told I could modify the applications .conf files and send a zipped folder of the modified contents for Splunk team to upload and install.
Currently I do have blacklisting implemented on EventNames as this is part of the application. Is there any guidance on how I can blacklist based on regex such as accountID=(id for account I want to send to nullque)?
May be you shall a create a private app having props , transforms conf having stanzas to send matching accountid events to nullQueue and deploy using this process to the instance where AWS add-on is running already.
You don't need to edit the same .conf files in the add-on , instead you can create a private app having your custom configs for sourcetype aws:cloudtrail. Splunk determines at the run-time and merge all of them together, After installation of private app (UI disabled) in on-prem splunk a restart of HF/Splunk instance is required. In SplunkCloud case you shall check how that works.
Hope this helps!
An upvote would be appreciated if this reply helps!
Ok that is interesting. So if I upload a new app with only a transform, props conf with the exact same stanza (sourcetype) in the official app, it will add the rules for my private app's stanza to the main?