Would like to block a specific Source going to a H...

evolutionxtinct · ‎01-15-2019

Hello Community,

Resources:
- Splunk Enterprise On-Prem = v7.1.2
- F5-BIGIP = v13.1.0
- Using: F5 Analytics iApp v3.7.2RC5
- Kiwi SYSLOG (Heavy Forwarder that has a Uni. Forwarder assigned)

Issue:
I'm currently getting bombarded with over 65k events every few seconds that is related to performance data for Memory/CPU, this data comes into our Indexer and is labeled as source=bigip.tmstats.memory_usage_stat I would like to drop this source from being indexed as its taking up close to 80% of my daily license right now.

Please Note: I'm not a heavy Splunk Admin person, so please be gentle.... I break easily 🙂

Any help is greatly appreciated, thanks!

dkeck · ‎01-16-2019

Hi,

sounds like thats an input of your F5 BIGIP app, just find the inputs,conf on your F5 app and disable the input with the source source=bigip.tmstats.memory_usage_stat

If you can´t find it just grep for it on your CLI in $SPLUNK_HOME/splunk/etc/apps grep -R bigip.tmstats.memory_usage_stat

OR use btool ( in $SPLUNK_HOME/splunk/bin) type ./splunk cmd btool inputs list --debug | grep bigip*

Also check your modular inputs for F5 https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/Configureinputs

dkeck · ‎01-16-2019

If it was helpfull please accept the answer, thank you

Would like to block a specific Source going to a Heavy Forwarder

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk