Hi Giuseppe, As I'm using AWS setup, ELB is checking for server availablity and healthcheck logs are consuming more data.This is unwanted data . I want do not want any incoming message with "ELB-HealthChecker/2.0" and Response_Code=200 in splunk indexes. Below log message I want to filter 10.9x.xx.xx - - [31/May/2020:00:05:32 -0500] "GET /healthcheck HTTP/1.1" Response_Code=200 Bytes=26 "-" "ELB-HealthChecker/2.0" Response_Time=150 what is the correct regex and steps to do this? ... View more

Hi @aswinkumar6, there only one way: filter useless events before indexing. There are only two methods to do this: only on windows it's possible to filter events on Universal Forwarders using whitelists and/or blacklists of EventCodes; for all the other logs, it's possible to filter events before indexing following the instructions at https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues . The first method is preferable because you filter at the origin and you don use network bandwidth. The second permites to take specified events and discard the others or discard specified events and take the others; you need only to find the regex to filter them. Ciao. Giuseppe ... View more