Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I filter logs from being indexed in Splunk Cloud

eddiemashayev
Path Finder
‎05-06-2018 07:47 AM

Hey all,

I want to filter logs before they are being indexed in Splunk Cloud for example, I want to filter all logs with host="test*"

How can I do that in Splunk Cloud?

0 Karma
Reply

woodcock
Esteemed Legend
‎05-06-2018 11:05 AM

You need to create an app for your Indexers to send the selected events to nullQueue then you need to open a support case to submit it to for vetting, which can take a while, but it is getting better.

0 Karma
Reply

eddiemashayev
Path Finder
‎05-07-2018 01:46 AM

Why this is so complicated? Just want to filter logs before indexing, it should be very simple. Are you sure there is no other way?

0 Karma
Reply

eddiemashayev
Path Finder
‎05-07-2018 01:57 AM

I didn't find in Splunk App for existing application which do the same. Maybe there is some app that have this functionality?

0 Karma
Reply

woodcock
Esteemed Legend
‎05-07-2018 04:15 AM

You are overestimating what is an app; it is just a package of configuration files. Create your files, package them as an app, submit them by case to be installed on your indexers.

0 Karma
Reply

eddiemashayev
Path Finder
‎05-07-2018 07:07 AM

Thanks for clarification.
I do see many documentation on how to do it on premise, but I'm working on Splunk Cloud and I can't access to the instance to change /opt/Splunk files.

Do you know for any good documentation for Splunk Cloud?

0 Karma
Reply

prakash007
Builder
‎05-06-2018 08:29 AM

You can discard the data via nullQueue on your Intermediate/Heavy forwarder...

http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

0 Karma
Reply

eddiemashayev
Path Finder
‎05-06-2018 08:47 AM

Thanks for the reply. But I specify it few time in my question and bolded it even. I need solution in Splunk Cloud not in the level of UF or HF(Heavy forwarder).

0 Karma
Reply

prakash007
Builder
‎05-06-2018 09:37 AM

I guess it should be enabled with props and transforms on the indexers in Splunk Cloud(may be a support ticket)

https://www.youtube.com/watch?v=RJAaTyFHKeo&index=1&list=PL7zWAA-DF0k9xVLrl1j-lk2F74Ge3EgCZ

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...