Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I filter incoming data to prevent license violations?

cparker4486
Engager
‎11-10-2011 12:02 PM

Hello,

I'm attempting to use the free edition but with only collecting data from the local machine I'm filling up my 500MB quota in just a few hours.

I don't know if Splunk works this way but I thought I could cut back on incoming data by filtering out informational log events. That is I would like to accept only warnings and errors.

Is this possible?

Reply

hokie1999
Explorer
‎07-22-2013 09:57 AM

Can I blacklist from the indexers and save myself some typing? Send a link to the doc that explains this, thanks.

0 Karma
Reply

Ayn
Legend
‎11-10-2011 12:57 PM

It certainly is. You do this by matching events that should be sent to the "nullQueue" instead of the "indexQueue". The docs have good descriptions with examples on how to achieve this: http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Discard_specific_event...

Reply

jbsplunk
Splunk Employee
Splunk Employee
‎11-10-2011 01:55 PM

nullQueue routing is the only way to prevent the indexing of certain types of data. You can set up transforms for different sources/hosts/sourcetypes, so there is a good amount of flexibility on how you'd want to call the transform to perform this action. So it isn't like you've really got limitations in terms of having to create a single list.

0 Karma
Reply

cparker4486
Engager
‎11-10-2011 01:30 PM

Thanks for the information. After doing some research this system is turning out to be quite a bit more complicated than I expected. The biggest problem I see is that there are so many different types of events with different formats that I can not reasonably maintain an include/exclude list. Do you have any further advice on this?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...