Getting Data In

Would like to block a specific Source going to a Heavy Forwarder

evolutionxtinct
Explorer

Hello Community,

Resources:
- Splunk Enterprise On-Prem = v7.1.2
- F5-BIGIP = v13.1.0
- Using: F5 Analytics iApp v3.7.2RC5
- Kiwi SYSLOG (Heavy Forwarder that has a Uni. Forwarder assigned)

Issue:
I'm currently getting bombarded with over 65k events every few seconds that is related to performance data for Memory/CPU, this data comes into our Indexer and is labeled as source=bigip.tmstats.memory_usage_stat I would like to drop this source from being indexed as its taking up close to 80% of my daily license right now.

Please Note: I'm not a heavy Splunk Admin person, so please be gentle.... I break easily 🙂

Any help is greatly appreciated, thanks!

dkeck
Influencer

Hi,

sounds like thats an input of your F5 BIGIP app, just find the inputs,conf on your F5 app and disable the input with the source source=bigip.tmstats.memory_usage_stat

If you can´t find it just grep for it on your CLI in $SPLUNK_HOME/splunk/etc/apps grep -R bigip.tmstats.memory_usage_stat

OR use btool ( in $SPLUNK_HOME/splunk/bin) type ./splunk cmd btool inputs list --debug | grep bigip*

Also check your modular inputs for F5 https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Configureinputs

0 Karma

dkeck
Influencer

If it was helpfull please accept the answer, thank you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...