https://community.splunk.com/t5/Security/Forward-only-WARN-OR-ERROR-log-lines-to-splunk/m-p/497031#M15376 <P>Hi Team,</P> <P>Need your expert advise on how can I configure my logstash.conf file to forward only the ERROR OR WARN log lines to Splunk. I have done some online research that a grok filter or wrapping the output with if condition can be used in order the acheive the required result.</P> <P>I would appreciate if you could share a working example on the same. Many thanks!</P> Wed, 13 May 2020 21:12:25 GMT vivek991985 2020-05-13T21:12:25Z https://community.splunk.com/t5/Security/Forward-only-WARN-OR-ERROR-log-lines-to-splunk/m-p/497031#M15376 <P>Hi Team,</P> <P>Need your expert advise on how can I configure my logstash.conf file to forward only the ERROR OR WARN log lines to Splunk. I have done some online research that a grok filter or wrapping the output with if condition can be used in order the acheive the required result.</P> <P>I would appreciate if you could share a working example on the same. Many thanks!</P> Wed, 13 May 2020 21:12:25 GMT https://community.splunk.com/t5/Security/Forward-only-WARN-OR-ERROR-log-lines-to-splunk/m-p/497031#M15376 vivek991985 2020-05-13T21:12:25Z https://community.splunk.com/t5/Security/Forward-only-WARN-OR-ERROR-log-lines-to-splunk/m-p/497032#M15377 <P><A href="https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html">https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html</A></P> <P>Can't you just delete it on the Splunk side?</P> Wed, 13 May 2020 23:52:11 GMT https://community.splunk.com/t5/Security/Forward-only-WARN-OR-ERROR-log-lines-to-splunk/m-p/497032#M15377 to4kawa 2020-05-13T23:52:11Z https://community.splunk.com/t5/Security/Forward-only-WARN-OR-ERROR-log-lines-to-splunk/m-p/497033#M15378 <P>I do not want to delete it at Splunk side.</P> <P>I prefer not to send the data with INFO OR DEBUG logging levels to Splunk, therefore, looking forward to getting some clean solution to implement it.</P> <P>Please advise how logstash.conf should be updated to achieve the required result.</P> <P>Thanks!</P> Thu, 14 May 2020 05:42:38 GMT https://community.splunk.com/t5/Security/Forward-only-WARN-OR-ERROR-log-lines-to-splunk/m-p/497033#M15378 vivek991985 2020-05-14T05:42:38Z https://community.splunk.com/t5/Security/Forward-only-WARN-OR-ERROR-log-lines-to-splunk/m-p/497034#M15379 <P>Hi @vivek991985,<BR /> the logging level doesn't depend on Splunk, it depends on the source, so maybe you should ask to a logstash forum.</P> <P>Anyway, you can filter in Splunk the not interesting logs following the steps described at <A href="https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues">https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_and_send_to_queues</A> .</P> <P>Ciao.<BR /> Giuseppe</P> Thu, 14 May 2020 06:17:21 GMT https://community.splunk.com/t5/Security/Forward-only-WARN-OR-ERROR-log-lines-to-splunk/m-p/497034#M15379 gcusello 2020-05-14T06:17:21Z https://community.splunk.com/t5/Security/Forward-only-WARN-OR-ERROR-log-lines-to-splunk/m-p/497035#M15380 <P>Thanks very much Giuseppe for your help! Noted.</P> Thu, 14 May 2020 06:20:08 GMT https://community.splunk.com/t5/Security/Forward-only-WARN-OR-ERROR-log-lines-to-splunk/m-p/497035#M15380 vivek991985 2020-05-14T06:20:08Z