How do I filter incoming data to prevent license violations?



I'm attempting to use the free edition but with only collecting data from the local machine I'm filling up my 500MB quota in just a few hours.

I don't know if Splunk works this way but I thought I could cut back on incoming data by filtering out informational log events. That is I would like to accept only warnings and errors.

Is this possible?


Can I blacklist from the indexers and save myself some typing? Send a link to the doc that explains this, thanks.

0 Karma


It certainly is. You do this by matching events that should be sent to the "nullQueue" instead of the "indexQueue". The docs have good descriptions with examples on how to achieve this:

Splunk Employee
Splunk Employee

nullQueue routing is the only way to prevent the indexing of certain types of data. You can set up transforms for different sources/hosts/sourcetypes, so there is a good amount of flexibility on how you'd want to call the transform to perform this action. So it isn't like you've really got limitations in terms of having to create a single list.

0 Karma


Thanks for the information. After doing some research this system is turning out to be quite a bit more complicated than I expected. The biggest problem I see is that there are so many different types of events with different formats that I can not reasonably maintain an include/exclude list. Do you have any further advice on this?

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...