topic Re: nix_errors casting too wide a net? in All Apps and Add-ons

nix_errors casting too wide a net?

michaelgardner — Mon, 05 Aug 2013 18:07:38 GMT

Splunk newbie question, I think.

We have a medium-sized heterogeneous (in terms of OS) environment. We are getting non-errors reported with the "nix_errors" eventtype and also the "nix-log-files" eventtype, though the log files are actually on a Windows server. These eventtypes are defined from the "Splunk for Unix and Linux" App.

The "nix_errors" eventtype is defined as:

NOT sourcetype=stash error OR critical OR failure OR fail OR failed OR fatal

What's the proper way for me to handle this? Suppressing the eventtype throws out too much.

Change the definition of the eventtypes in the Manager? (Will my changes be lost on an upgrade?) I think I would add an os_type tag and then reference that in the eventtypes.
um .... leave it as is?
Better option that I'm not aware of?

I don't want to uninstall the App. It's useful elsewhere.

Thanks,
Mike

Re: nix_errors casting too wide a net?

araitz — Mon, 05 Aug 2013 19:47:48 GMT

The nix_errors eventtype is too broad, agreed. You could do a few things:

Turn off global sharing for this eventtype in Manager
Change the eventtype to be scoped to your unix data (e.g. index=os sourcetype=stash error OR ...)

Re: nix_errors casting too wide a net?

michaelgardner — Thu, 08 Aug 2013 12:17:55 GMT

Thanks, araitz. The removal of the global scope for the eventtypes has really cut down the noise.

Aside: exptremely tedious to change the 100+ *NIX eventtypes via the GUI. I'm sure there was a better way via the .conf files. Planning to enroll in some Splunk Admin courses.