- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- how to throttle some data from being indexed
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to throttle some data from being indexed
Hi,
I have an event that is a real license consumer. I would like to throttle only this event. I want only 1 of 10 hits of the same event will be indexed. All other events will remain the same with no change.
How can I do that?
Thanks,
Michael
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can drop events matching a certain regex by assigning them to the null queue:
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_e...
Question is how you're going to decide which 1 event to keep and which 9 events to drop. If they are somewhat uniformly distributed across time, you could perhaps say everything with milisecond 1-9 goes to nullqueue and milisecond 0 goes to parsing queue or something, but that's rather tricky. But as you know the data, perhaps you can think of a field that provides some uniform distribution that you could use for making a 10%-90% split...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know the event's name. I just want it to filter out 90% of this event's beeing indexed.
Just need to be able to say that event name MM should be index 1 out of 10 events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And as I mentioned: the only thing I can think of to do that is find a regex that (probably more or randomly) matches 10% of the events. E.g. by triggering of the milliseconds or maybe there is some incremental eventID where you could ignore all eventIDs that end with 1-9 and only accept eventIDs ending in 0 or something.
As mentioned: this is all not brilliantly reliable, but it's the best I can think of. As far as I know there is no way to tell splunk to let 1 out 10 events through.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How are you currently ingesting that data? On a UF or a HF, through what input method?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I "Shoot" the data from the Application into Splunk engine via a specific port.
Not using Splunk Forwarder.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
