- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can I filter logs from being indexed in Splunk...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I filter logs from being indexed in Splunk Cloud
Hey all,
I want to filter logs before they are being indexed in Splunk Cloud for example, I want to filter all logs with host="test*"
How can I do that in Splunk Cloud?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to create an app for your Indexers to send the selected events to nullQueue then you need to open a support case to submit it to for vetting, which can take a while, but it is getting better.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why this is so complicated? Just want to filter logs before indexing, it should be very simple. Are you sure there is no other way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't find in Splunk App for existing application which do the same. Maybe there is some app that have this functionality?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are overestimating what is an app; it is just a package of configuration files. Create your files, package them as an app, submit them by case to be installed on your indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for clarification.
I do see many documentation on how to do it on premise, but I'm working on Splunk Cloud and I can't access to the instance to change /opt/Splunk files.
Do you know for any good documentation for Splunk Cloud?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can discard the data via nullQueue on your Intermediate/Heavy forwarder...
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply. But I specify it few time in my question and bolded it even. I need solution in Splunk Cloud not in the level of UF or HF(Heavy forwarder).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess it should be enabled with props and transforms on the indexers in Splunk Cloud(may be a support ticket)
https://www.youtube.com/watch?v=RJAaTyFHKeo&index=1&list=PL7zWAA-DF0k9xVLrl1j-lk2F74Ge3EgCZ
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
