Hi,
I would appreciate it if someone could assist me with a problem. The events appearing in the indexer on Splunk Cloud are exceeding my license limit. Is there a way to redirect unwanted events to a null queue?
Hi @AL3Z,
have you an intermediate Heavy Forwarder between your data sources and Splunk Cloud?
you can configure the filter on this system.
if You haven't I hint to add two HFs as concentrators of your on premise data (it's a best practice!).
If you're speaking of cloud to cloud data, you should analyze your data and define if you really need all this data and filter them in inputs.
The last chance is to open a case to Splunk Cloud Support.
Ciao.
Giuseppe
Why do we need two HFs as concentrators on premise data
Hi @AL3Z,
for security reasons: to avoid to open a connection between all on-premise systems and Splunk Cloud and eventually (as in your case) to filter data.
Ciao.
Giuseppe
I'd say that it's not that obvious security-wise. Sure, it might be easier to manage if you have just limited number of static IPs that you allow outbound connections from than several dozens, hundreds or even thousands sources but security? Naaah, not really. You're still limiting to a set of destination IPs, you're supposed to use TLS. You're cool.
But yes, on-premise HF(s) can help you with event filtering and lower your traffic volume before it even hits the cloud infrastructure. If you have the possibility, however, it's best to filter as early as possible (like blacklisting certain events on EventLog inputs).