Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

license violation

aalorro
New Member
‎06-25-2012 06:55 AM

Hi, I'm new to splunk and we just bought a 500 MB license. I capture windows events however we always overshoot our license at 9AM. I monitor about 30 windows 2008 servers and they generate a lot of logs. How do I filter the logs that we do not need? Most of the event logs are just noise.

Thanks.

Armando A.

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎06-25-2012 10:24 AM

Briang67 advice is a good start, but it might be a lot easier to actually do the nullQueueing on the indexer instead.

It all depends on how data is gathered (UF, HF, WMI, Snare (or similar)). Also, with heavy forwarders you'd have a lot of remote configurations to consider, since you'd be doing the nullQueue filtering on each host generating data. If you are new to the product, you might not want to have to learn how to handle Deployment Server as well.

The penalty for doing the nullQueue filtering on the indexer is that you'll have to transmit the data over the network before discarding it. However, if you currently have 500 MB in 9 hours, you probably have less than 5GB over a full day (since the load is probably not even throughout the day). 5GB of network traffic is not all that much, unless you have really slow links to travel.

/Kristian

Reply

jangid
Builder
‎06-25-2012 07:45 AM

might be this link useful for you

http://splunk-base.splunk.com/answers/49366/how-to-ignore-first-three-line-of-my-log

and you can also try blacklist some file if you really don't need.

0 Karma
Reply

briang67
Communicator
‎06-25-2012 07:40 AM

You can do this by installing the heavy forwarder and setting up a transform to send the unwanted events to a "null queue". This link details the setup:
Route and filter data

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...