Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk AWS Blacklist on AccountID - Splunk Cloud

SplunkJ1
Loves-to-Learn Lots
‎01-24-2022 04:00 PM

Hi, I am currently using the AWS Add-on for Splunk, and am looking to see if I can blacklist based on regex other than the applications UI for blacklisting based on eventnames. (using the blacklist method provided by the app: https://docs.splunk.com/Documentation/AddOns/latest/AWS/CloudTrail)

 

I have a central Cloudtrail for all of my accounts and looking to send logs from a certain account to nullque so they are not ingested. The logs do have a field for AccountID. Reason being the specific logs from the account are about 80 percent of my ingestion and are not needed. I saw this article but as mentioned before I am not able to modify these files directly due to being on Splunk Cloud: https://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Routeandfilterdatad#Discard_specific_e...

 

Since I do not have access to modify transform.conf or props.conf.  I was told I could modify the applications .conf files and send a zipped folder of the modified contents for Splunk team to upload and install.

Currently I do have blacklisting implemented on EventNames as this is part of the application.  Is there any guidance on how I can blacklist based on regex such as accountID=(id for account I want to send to nullque)?

Labels (3)
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎01-24-2022 06:32 PM

Hi @SplunkJ1 

May be you shall a create a private app having props , transforms conf having stanzas to send matching accountid events to nullQueue and deploy using this process to the instance where AWS add-on is running already.

You don't need to edit the same .conf files in the add-on , instead you can create a private app having your custom configs for sourcetype aws:cloudtrail. Splunk determines at the run-time and merge all of them together, After installation of private app (UI disabled) in on-prem splunk a restart of HF/Splunk instance is required. In SplunkCloud case you shall check how that works.

Hope this helps!

https://dev.splunk.com/enterprise/docs/releaseapps/manageprivatecloud/

--

An upvote would be appreciated if this reply helps!

0 Karma
Reply

SplunkJ1
Loves-to-Learn Lots
‎01-25-2022 09:02 AM

Ok that is interesting. So if I upload a new app with only a transform, props conf with the exact same stanza (sourcetype) in the official app, it will add the rules for my private app's stanza to the main?

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎01-27-2022 03:10 AM

Technically that works on on-prem unless the add-on is shared across multiple users in Splunk cloud. 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...