Getting Data In

Can I restrict the log ingestion when the index capacity reaches its limit on per day basis?

mala_splunk_91
Explorer

Hi, 

In Splunk cloud, Can I restrict the log ingestion when the index capacity reaches its limit on per day basis?

I have logs which is exceeding its indexing capacity on certain days. Is there any way I can block ingestion if the capacity reaches its threshold?

Also, I have another question, Is it possible for me to edit the configuration files to filter logs or send it null queue on the Splunk cloud?

If I want to create custom app to do so. Please share me any related documents to follow.

Thanks, 

Mala Sundaramoorthy

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @mala_splunk_91,

as @VatsalJagani said, there isn't any automatic way to do this.

Obviously you can create an alert that fires when you're reaching e.g. the 50% at midday or the 80% at 5 PM.

So you can turn off some input when the alert fires, but not automatically.

Maybe it's  possible having Phantom, but I never tried.

about configurations, you can modify them only by interface on Splunk Cloud.

It's easier if you have to take on-premise logs using Forwarders, but anyway, always in manual mode not automatically.

About the way to create a custom App, it's a very easy App:

It will be easier when the data Stream Processor will be available (https://docs.splunk.com/Documentation/DSP/1.3.0/User/Filter).

Ciao.

Giuseppe

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@mala_splunk_91 

 

I hope this helps!!!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...