https://community.splunk.com/t5/Splunk-ITSI/ITSI-is-generating-noisy-false-positives-quot-this-is-a-kvstore/m-p/325292#M378 <P>I confirm, it was fixed in ITSI since version 3.1.0<BR /> it will be added to the release notes (as ITOA-8623)</P> Thu, 24 May 2018 22:10:21 GMT yannK 2018-05-24T22:10:21Z https://community.splunk.com/t5/Splunk-ITSI/ITSI-is-generating-noisy-false-positives-quot-this-is-a-kvstore/m-p/325289#M375 <P>I have ITSI 3.0, and on a regular basis it is reporting a kvstore connection test.<BR /> The problem is that the check triggers a false positive error message in splunkd.log internal logs </P> <P>In ITSI 2.* the message was like </P> <PRE><CODE> 05-09-2017 06:04:18.605 -0400 ERROR HttpListener - Exception while processing request from 127.0.0.1 for /servicesNS/nobody/SA-ITOA/storage/collections/data/dummy_collection_nvfjdnvjkfdnvjkfnvjkfnvernvjfnvjkfsdnvuenvkjfnvjka?output_mode=json: Could not find object id=dummy_collection_nvfjdnvjkfdnvjkfnvjkfnvernvjfnvjkfsdnvuenvkjfnvjka </CODE></PRE> <P>In ITSI 3.0, it now looks like</P> <PRE><CODE> 01-23-2018 13:00:01.622 -0800 ERROR HttpListener - Exception while processing request from 127.0.0.1 for /servicesNS/nobody/SA-ITOA/storage/collections/data/this_is_a_kvstore_heartbeat_it_is_not_an_error_please_ignore?output_mode=json: Could not find object id=this_is_a_kvstore_heartbeat_it_is_not_an_error_please_ignore </CODE></PRE> <P>Can I find a way to drop those event? <BR /> I do not want to index them.</P> Tue, 23 Jan 2018 21:13:13 GMT https://community.splunk.com/t5/Splunk-ITSI/ITSI-is-generating-noisy-false-positives-quot-this-is-a-kvstore/m-p/325289#M375 mataharry 2018-01-23T21:13:13Z https://community.splunk.com/t5/Splunk-ITSI/ITSI-is-generating-noisy-false-positives-quot-this-is-a-kvstore/m-p/325290#M376 <P>The long term solution will be to wait for a future version of Splunk or ITSI that does not generate that log.<BR /> A possible workaround now is to setup a nullQueue filter on the search-head indexing the logs to drop them at index time.<BR /> see <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest">http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest</A></P> <P>PS : This will not prevent the logs to be in the splunkd.log file on disk, just to drop them at index time.</P> <P><STRONG>Method to setup a nullQueue filter on the search-head :</STRONG></P> <P>in transforms.conf</P> <PRE><CODE>[splunkd] TRANSFORMS-ITSInullqueue=ITSInullqueuefalsepositive </CODE></PRE> <P>in props.conf</P> <PRE><CODE>[ITSInullqueuefalsepositive] REGEX = (dummy_collection_nvfjdnvjkfdnvjkfnvjkfnvernvjfnvjkfsdnvuenvkjfnvjka|this_is_a_kvstore_heartbeat_it_is_not_an_error_please_ignore) DEST_KEY = queue FORMAT = nullQueue # to delete false positive HTTPlisterner ITSI events. </CODE></PRE> Tue, 23 Jan 2018 21:26:55 GMT https://community.splunk.com/t5/Splunk-ITSI/ITSI-is-generating-noisy-false-positives-quot-this-is-a-kvstore/m-p/325290#M376 yannK 2018-01-23T21:26:55Z https://community.splunk.com/t5/Splunk-ITSI/ITSI-is-generating-noisy-false-positives-quot-this-is-a-kvstore/m-p/325291#M377 <P>I understand this is fixed as part of ITSI 3.1. It's not in the release notes although I can confirm that I'm not seeing this anymore.</P> Thu, 24 May 2018 21:02:28 GMT https://community.splunk.com/t5/Splunk-ITSI/ITSI-is-generating-noisy-false-positives-quot-this-is-a-kvstore/m-p/325291#M377 sloshburch 2018-05-24T21:02:28Z https://community.splunk.com/t5/Splunk-ITSI/ITSI-is-generating-noisy-false-positives-quot-this-is-a-kvstore/m-p/325292#M378 <P>I confirm, it was fixed in ITSI since version 3.1.0<BR /> it will be added to the release notes (as ITOA-8623)</P> Thu, 24 May 2018 22:10:21 GMT https://community.splunk.com/t5/Splunk-ITSI/ITSI-is-generating-noisy-false-positives-quot-this-is-a-kvstore/m-p/325292#M378 yannK 2018-05-24T22:10:21Z