Hello. I've inherited a 'proof-of-concept' Splunk installation consisting of several linux servers running Splunk Enterprise under a dev license. We've a couple of Indexers, an index master, a deployment server and a single search head.
We've got universal forwarders configured on our Windows AD domain controllers that are installing the Spunk_TA_Windows app to the UFs. This app has been configured to whitelist only certain event ID codes via a regexp.
My understanding (and this appears to agree with every bit of docs I can find) was that UF forwarded were unable to filter or manipulate data, and that required a Heavy Forwarder to be configured to do things like Regexp,etc.
I'm concerned that our UF are consuming too much of our license and that the whitelisting Regexp's in the inputs.conf on the UF aren't effective? Or have I grossly misunderstood (I assume it's me...)
The other reason I ask is because we'd also like to pull in selected data from a syslog feed, but we'd absolutely need to filter this before it hits splunk as it'd blow through our license in mins if we didn't. If I can filter windows event logs in a UF via a regexp - can I also filter syslog events in a UF with a regexp ?
Thanks
Dave
↧