All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

nix_errors casting too wide a net?

michaelgardner
Explorer
‎08-05-2013 11:07 AM

Splunk newbie question, I think.

We have a medium-sized heterogeneous (in terms of OS) environment. We are getting non-errors reported with the "nix_errors" eventtype and also the "nix-log-files" eventtype, though the log files are actually on a Windows server. These eventtypes are defined from the "Splunk for Unix and Linux" App.

The "nix_errors" eventtype is defined as:

NOT sourcetype=stash error OR critical OR failure OR fail OR failed OR fatal

What's the proper way for me to handle this? Suppressing the eventtype throws out too much.

  • Change the definition of the eventtypes in the Manager? (Will my changes be lost on an upgrade?) I think I would add an os_type tag and then reference that in the eventtypes.

  • um .... leave it as is?

  • Better option that I'm not aware of?

I don't want to uninstall the App. It's useful elsewhere.

Thanks,
Mike

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎08-05-2013 12:47 PM

The nix_errors eventtype is too broad, agreed. You could do a few things:

  1. Turn off global sharing for this eventtype in Manager
  2. Change the eventtype to be scoped to your unix data (e.g. index=os sourcetype=stash error OR ...)

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎08-05-2013 12:47 PM

The nix_errors eventtype is too broad, agreed. You could do a few things:

  1. Turn off global sharing for this eventtype in Manager
  2. Change the eventtype to be scoped to your unix data (e.g. index=os sourcetype=stash error OR ...)
Reply
Solved! Jump to solution

michaelgardner
Explorer
‎08-08-2013 05:17 AM

Thanks, araitz. The removal of the global scope for the eventtypes has really cut down the noise.

Aside: exptremely tedious to change the 100+ *NIX eventtypes via the GUI. I'm sure there was a better way via the .conf files. Planning to enroll in some Splunk Admin courses.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...