Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to limit the amount of data that a splunk universal forwarder sends to the Splunk server for processing?

vvmmvvmm
Explorer
‎08-25-2016 01:29 AM

Hi all

I am using Splunk Enterprise for security...

But I have a lot of extraneous data in Splunk at the moment. Looking through the dashboards I'm finding a lot of performance and operational status data.

The problem is that my splunk license allows me to analyze 2gb of data in a 24 hour period. I would say that at the moment 70% of the data that goes through the system is not security related and the system was procured as a security monitoring system.

I would like to find a way to reduce the mount of the data that the "forwarders" send back to the Splunk back end for processing. i.e. exclude all of the performance and operational data from the analysis.

My intention is to use that freed up bandwidth to push the Sophos Anti Virus and Firewall logs I have, to splunk instead of server performance data.

Is this possible, and can anybody provide me with details on how to do this? I would really really appreciate your help! I have searched online for an answer but so far I can't find anything, but if you know of a page where I can find the information I need, please do send me a link 🙂

Kind Regards

Vera

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎08-25-2016 07:14 AM

Basically, you have two places to control the data flow -
1) At the forwarder level

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Inputsconf
is a great place to start especially at the monitor options.

2) At the parsing queue on the indexer

If you block data in one of these two points, the data won't count against your license.

View solution in original post

Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎08-25-2016 08:56 AM

There is a doc topic about routing and filtering data, which includes information about universal forwarders as well as heavy forwarders: Route and filter data in the Forwarding Data manual.

Another thing you might want to look at is David Paper's presentation from the 2014 user conference, "Getting the Most Out of Your Splunk License: Keeping the Junk Out of Splunk."

Reply
Solved! Jump to solution

vvmmvvmm
Explorer
‎08-25-2016 09:48 AM

Thank you Chris, and the presentation was really helpful 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎08-25-2016 07:14 AM

Basically, you have two places to control the data flow -
1) At the forwarder level

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Inputsconf
is a great place to start especially at the monitor options.

2) At the parsing queue on the indexer

If you block data in one of these two points, the data won't count against your license.

Reply
Solved! Jump to solution

vvmmvvmm
Explorer
‎08-25-2016 09:36 AM

Thank you very much ddrillic 🙂

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...