Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dropping Logs Sent Straight to Splunk Cloud

mcweens
Engager
‎06-29-2021 06:06 AM

Hi all,

So my Splunk architecture consists of just 1 Heavy Forwarder and Splunk Cloud.  I have some logs that do not go through the HF (straight to Splunk Cloud) that I want to drop based on their IP and to do so was wanting to modify props and transforms on the Cloud (like you would do on a forwarder to drop logs).

Support is telling me in order to do this I should make a custom app and modify props and transforms there and not giving me much more than that.

Has anyone done something like this and what did you end up doing?  Thanks!

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

michel_wolf
Path Finder
‎06-29-2021 07:58 AM

Yes I think you have 2 options.

1. Route your data to your HF and drop the events there before you upload it to splunk cloud

2. If this  is not possible you have to create a private app with your props and transforms which drops those events and try to upload this app to splunk cloud via the process in the docs

View solution in original post

0 Karma
Reply
Solved! Jump to solution

michel_wolf
Path Finder
‎06-29-2021 07:44 AM

I think what Splunk support means is that you can create your app locally as you described and then upload it accordingly. There is this article about that:

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2105/Admin/PrivateApps#Install_private_apps_on...

0 Karma
Reply
Solved! Jump to solution

mcweens
Engager
‎06-29-2021 07:49 AM

Ok so I would just make an app that has altered transforms and props and then upload that?  Just confusing because on a HF you would just alter the props and transforms for splunk.

0 Karma
Reply
Solved! Jump to solution
Solution

michel_wolf
Path Finder
‎06-29-2021 07:58 AM

Yes I think you have 2 options.

1. Route your data to your HF and drop the events there before you upload it to splunk cloud

2. If this  is not possible you have to create a private app with your props and transforms which drops those events and try to upload this app to splunk cloud via the process in the docs

0 Karma
Reply
Solved! Jump to solution

mcweens
Engager
‎07-09-2021 09:48 AM

We ended up routing this data to the HF instead of it going straight to splunk cloud.  We heard that the approval process for an app to get accepted is painful and also apparently Splunk Cloud doesn't want you having inputs on your search head anyways (it had been there for like 3 years though before they said anything).

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...