I'm using a AWS setup with ELB sending constant healthcheck messages to my apache server. splunk is indexed to capture access logs. 37% of my access logs are captured with this unwanted healthcheck data. I wanted to blacklist this incoming data so I have added below configurations to splunkds inputs.conf.Below configuration is not working even after splunkds restart.
[monitor://]
blacklist1 = Response_code=200 && "healthcheck"
Please provide me solution on how the blacklisting of incoming traffic with response_code=200 and message="healthcheck" be configured.
Hi Giuseppe,
As I'm using AWS setup, ELB is checking for server availablity and healthcheck logs are consuming more data.This is unwanted data .
I want do not want any incoming message with "ELB-HealthChecker/2.0" and Response_Code=200 in splunk indexes.
Below log message I want to filter
10.9x.xx.xx - - [31/May/2020:00:05:32 -0500] "GET /healthcheck HTTP/1.1" Response_Code=200 Bytes=26 "-" "ELB-HealthChecker/2.0" Response_Time=150
what is the correct regex and steps to do this?
Hi @aswinkumar6,
blacklist in monitor stanzas (not in windos wineventlog stanzas) is related only to filenames not to events.
See my answer to your previous question https://answers.splunk.com/answers/824761/what-are-ways-to-optimize-splunk-license-usage.html .
As I said, you have to find the correct regex to filter your data (if you share some samples I cal help you) and then put on your indexers or (if present) on your Heavy Forwarders, the following files (this is an example of regex to define with your logs):
In props.conf:
[my_sourcetype]
TRANSFORMS-null= setnull
in transforms.conf:
[setnull]
REGEX = message\=healthcheck
DEST_KEY = queue
FORMAT = nullQueue
(if in the discarding events there the string message=healthcheck
)
Ciao.
Giuseppe