Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunkstream disable specified protocol

elend
Path Finder
a week ago

Currently I have setup Splunkstream, but there is a condition where I want to disable some data sources from certain protocols because they consume licenses. Is this possible? my case is i want to disable the stream:udp sourcetype. when i investigating the data it still come from source stream:ES_UDP_RAW.

 

elend_2-1752511946425.png

 

 

Labels (4)
0 Karma
Reply

livehybrid
Ultra Champion
a week ago

Hi @elend 

Splunk stream supports using Berkeley Packet Filter strings to filter out traffic in your streamfwd.conf file.

Something like:

[streamfwd]
streamfwdcapture.0.filter = not udp

For more details check out https://docs.splunk.com/Documentation/StreamApp/8.1.0/DeployStreamApp/ForwarderParameters#:~:text=N%...

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

Reply

elend
Path Finder
a week ago

i'll try this one next.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a week ago

You might simply filter out UDP on the OS level so that you don't "filter out" the events but simply don't generate them because you don't see this traffic.

But ask yourself is it what you want. Since you're capturing network data it seems you want network visibility. But now you deliberately want to lose some of this visibility...

0 Karma
Reply

elend
Path Finder
a week ago

yeah, but for now just want to know if it able to disable from the stream conf. I know its better for the full visibility, but again beside because the license limits, also want to know the posibilities.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...
Top