All Apps and Add-ons

Is it possible to disable logging on the Cisco eStreamer for Splunk app?

responsys_cm
Builder

The eStreamer input generates like 300 MB of log files per day. Is there any way to disable that logging?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi responsys_cm,
to disable eStreamer input, you have to disable Splunk inputs for this App, there are two ways:

  • You can do it by web interface [Settings -- Inputs], find eStreamer inpus and disable them;
  • modify $SPLUNK_HOME/etc/apps/eStreamer/local/inputs.conf, inserting "disabled=1" where "disabled=0" and restart Splunk, if this file doesn't exist, copy it from SPLUNK_HOME/etc/apps/eStreamer/default.

If you receive also logs using syslog, remember to disable this in your CISCO interface.

Bye.
Giuseppe

0 Karma

responsys_cm
Builder

My goal isn't to disable the input. The input generates log files on its operations as well as indexing data from FireSIGHT. I want the FireSIGHT data, but not the hundreds of megs of the inputs operational logs...

0 Karma

gcusello
SplunkTrust
SplunkTrust

you have to chose the logs you want to discard, find the correct regex and then filter your data using the regex:
(http://docs.splunk.com/Documentation/Splunk/6.5.1/Forwarding/Routeandfilterdatad)
props.conf

 [your_sourcetype]
 TRANSFORMS-null= setnull

transforms.conf

 [setnull]
 REGEX = your_regex
 DEST_KEY = queue
 FORMAT = nullQueue

and restart Splunk

bye.
Giuseppe

0 Karma

responsys_cm
Builder

These logs aren't being ingested by Splunk. They are logs that the eStreamer script generates. They consume hundreds of megs a day.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Sorry, I don't know eStreamer and i don't know how to disable log!
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...