Hi, I'm new to splunk and we just bought a 500 MB license. I capture windows events however we always overshoot our license at 9AM. I monitor about 30 windows 2008 servers and they generate a lot of logs. How do I filter the logs that we do not need? Most of the event logs are just noise.
Thanks.
Armando A.
Briang67 advice is a good start, but it might be a lot easier to actually do the nullQueueing on the indexer instead.
It all depends on how data is gathered (UF, HF, WMI, Snare (or similar)). Also, with heavy forwarders you'd have a lot of remote configurations to consider, since you'd be doing the nullQueue filtering on each host generating data. If you are new to the product, you might not want to have to learn how to handle Deployment Server as well.
The penalty for doing the nullQueue filtering on the indexer is that you'll have to transmit the data over the network before discarding it. However, if you currently have 500 MB in 9 hours, you probably have less than 5GB over a full day (since the load is probably not even throughout the day). 5GB of network traffic is not all that much, unless you have really slow links to travel.
/Kristian
might be this link useful for you
http://splunk-base.splunk.com/answers/49366/how-to-ignore-first-three-line-of-my-log
and you can also try blacklist some file if you really don't need.
You can do this by installing the heavy forwarder and setting up a transform to send the unwanted events to a "null queue". This link details the setup:
Route and filter data