Getting Data In

Would like to block a specific Source going to a Heavy Forwarder


Hello Community,

- Splunk Enterprise On-Prem = v7.1.2
- F5-BIGIP = v13.1.0
- Using: F5 Analytics iApp v3.7.2RC5
- Kiwi SYSLOG (Heavy Forwarder that has a Uni. Forwarder assigned)

I'm currently getting bombarded with over 65k events every few seconds that is related to performance data for Memory/CPU, this data comes into our Indexer and is labeled as source=bigip.tmstats.memory_usage_stat I would like to drop this source from being indexed as its taking up close to 80% of my daily license right now.

Please Note: I'm not a heavy Splunk Admin person, so please be gentle.... I break easily 🙂

Any help is greatly appreciated, thanks!



sounds like thats an input of your F5 BIGIP app, just find the inputs,conf on your F5 app and disable the input with the source source=bigip.tmstats.memory_usage_stat

If you can´t find it just grep for it on your CLI in $SPLUNK_HOME/splunk/etc/apps grep -R bigip.tmstats.memory_usage_stat

OR use btool ( in $SPLUNK_HOME/splunk/bin) type ./splunk cmd btool inputs list --debug | grep bigip*

Also check your modular inputs for F5

0 Karma


If it was helpfull please accept the answer, thank you

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!