Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

User‑Driven Log Ingestion Control Framework

prashanthan1987
Explorer
‎01-22-2026 09:31 AM

We often encounter situations where a particular application begins generating unusually high volumes of logs for a specific source, sourcetype, or index. This can quickly lead to excessive license consumption and unplanned cost overruns.

To address this, I am exploring an approach that provides more direct control to application owners or stakeholders—allowing them to decide whether log ingestion should be temporarily paused or approved for suspension. This could be achieved through an automated workflow where users receive an API-triggered notification or an email containing a decision link. With this model, we can prevent unnecessary license impact while ensuring that any action taken has explicit user consent.

I’d appreciate your thoughts on this approach.

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎01-23-2026 03:14 AM

Hi @prashanthan1987 

You could look at using Ingest Actions API endpoints to leverage this, this will allow you to make changes to drop certain events based on your criteria programatically using automation, but I would recommend heavily testing this first and having plenty of guardrails to ensure nobody can manipulate it to drop things that shouldnt be dropped!

Check out https://help.splunk.com/en/splunk-enterprise/leverage-rest-apis/rest-api-reference/10.0/input-endpoi... and specifically the '/services/data/ingest/rulesets/' endpoint, such as:

curl -k https://HOST:PORT/services/data/ingest/rulesets\?output_mode=json -d name=RULESET_NAME -d sourcetype=SOURCETYPE -d rules="[
          {
            \"name\": \"RULE_NAME\",
            \"action\": \"route\",
            \"clone\": false,
            \"dest\": \"DESTINATION\",
            \"cond\": {
              \"type\": \"eval\",
              \"expr\": \"someExpressionHere\"
            }
          }
        ]"

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-23-2026 03:26 AM

Yes, but regardless of whether you use transforms, rulesets, ingest actions, edge processor, it's still something based on strict rules you have to set prior to ingesting data. There is no "hold and decide" mechanics.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-22-2026 09:55 AM

It doesn't work like this. Even if you made something that would selectively enable and disable HEC tokens and set specific sources to use specific tokens, there is no way to "hold" any specific events and "accept" or "reject" them within just Splunk's framework alone. You'd need to create an intermediate solution providing such functionality before ingesting the data into Splunk.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...