Installation

license violation

aalorro
New Member

Hi, I'm new to splunk and we just bought a 500 MB license. I capture windows events however we always overshoot our license at 9AM. I monitor about 30 windows 2008 servers and they generate a lot of logs. How do I filter the logs that we do not need? Most of the event logs are just noise.

Thanks.

Armando A.

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

Briang67 advice is a good start, but it might be a lot easier to actually do the nullQueueing on the indexer instead.

It all depends on how data is gathered (UF, HF, WMI, Snare (or similar)). Also, with heavy forwarders you'd have a lot of remote configurations to consider, since you'd be doing the nullQueue filtering on each host generating data. If you are new to the product, you might not want to have to learn how to handle Deployment Server as well.

The penalty for doing the nullQueue filtering on the indexer is that you'll have to transmit the data over the network before discarding it. However, if you currently have 500 MB in 9 hours, you probably have less than 5GB over a full day (since the load is probably not even throughout the day). 5GB of network traffic is not all that much, unless you have really slow links to travel.

/Kristian

jangid
Builder

might be this link useful for you

http://splunk-base.splunk.com/answers/49366/how-to-ignore-first-three-line-of-my-log

and you can also try blacklist some file if you really don't need.

0 Karma

briang67
Communicator

You can do this by installing the heavy forwarder and setting up a transform to send the unwanted events to a "null queue". This link details the setup:
Route and filter data

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...