Solved: Exclude Strings in reports

wiz562 · ‎07-26-2013

I'm just starting out with Splunk and had a question about the canned reports. In the *nix app, if you go to "Log Files" -> "Errors and Warnings", there are many false positives. It seems to be picking things up like "--error-log=" for mysql in my ps command and "Removing old error log entries..." in other log files.

Is there an easy way to edit these reports so that I can exclude certain terms?

jtrucks · ‎07-29-2013

On your Splunk server where the app is installed, copy the following from $SPLUNK_HOME/etc/apps/unix/default/ to $SPLUNK_HOME/etc/apps/unix/local/

eventtypes.conf
savedsearches.conf
tags.conf
transforms.conf
viewstates.conf

Then edit the various searches you want to change in the */local/ directory leaving everything in */default/ alone.

--
Jesse Trucks
Minister of Magic

View solution in original post

jtrucks · ‎07-29-2013

On your Splunk server where the app is installed, copy the following from $SPLUNK_HOME/etc/apps/unix/default/ to $SPLUNK_HOME/etc/apps/unix/local/

eventtypes.conf
savedsearches.conf
tags.conf
transforms.conf
viewstates.conf

Then edit the various searches you want to change in the */local/ directory leaving everything in */default/ alone.

--
Jesse Trucks
Minister of Magic

Exclude Strings in reports

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...