How do we send the unwanted log events to null que...

AL3Z · ‎04-28-2023

Hi,
I would appreciate it if someone could assist me with a problem. The events appearing in the indexer on Splunk Cloud are exceeding my license limit. Is there a way to redirect unwanted events to a null queue?

gcusello · ‎04-28-2023

Hi @AL3Z,

have you an intermediate Heavy Forwarder between your data sources and Splunk Cloud?

you can configure the filter on this system.

if You haven't I hint to add two HFs as concentrators of your on premise data (it's a best practice!).

If you're speaking of cloud to cloud data, you should analyze your data and define if you really need all this data and filter them in inputs.

The last chance is to open a case to Splunk Cloud Support.

Ciao.

Giuseppe

AL3Z · ‎04-28-2023

Why do we need two HFs as concentrators on premise data

gcusello · ‎04-28-2023

Hi @AL3Z,

for security reasons: to avoid to open a connection between all on-premise systems and Splunk Cloud and eventually (as in your case) to filter data.

Ciao.

Giuseppe

PickleRick · ‎05-04-2023

I'd say that it's not that obvious security-wise. Sure, it might be easier to manage if you have just limited number of static IPs that you allow outbound connections from than several dozens, hundreds or even thousands sources but security? Naaah, not really. You're still limiting to a set of destination IPs, you're supposed to use TLS. You're cool.

But yes, on-premise HF(s) can help you with event filtering and lower your traffic volume before it even hits the cloud infrastructure. If you have the possibility, however, it's best to filter as early as possible (like blacklisting certain events on EventLog inputs).

How do we send the unwanted log events to null queue in Splunk Cloud?

indexing performance

license usage

monitoring console

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM