Skip to main content
Los artículos de Splunk Lantern ya están disponibles en español.
Splunk Lantern

Filtering syslog data to dev null


There may be events or hosts you do not want to receive in Splunk Connect for Syslog (SC4S) so they are not forwarded on to Splunk. SC4S can discard matching events as they are processed. This is achieved by editing the configuration files that work in unison to identify and enrich the events:

  • vendor_product_by_source.csv, located in /opt/sc4s/local/context, and contains a “key” that is referenced in the log path for each data source 
  • vendor_product_by_source.conf, located in /opt/sc4s/local/context, and contains the filter to match events

The example edits below create a filter called "f_null_queue" that matches to the terms "discarded" OR "deny" and sends every event that matches to dev_null (Blackhole).




filter f_null_queue {
  or message('deny')

Next steps

These additional Splunk resources might help you understand and implement this use case:

Finally, you might be interested in other processes associated with the Understanding best practices for Splunk Connect for Syslog use case.