Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Disabling type "Informational" with splunk for windows

nbennett
New Member
‎06-25-2010 04:03 PM

I have a linux indexer. I forward with the light forwarder from about 200 windows boxes.

On the indexer I don't want it to index type=informational.

How does one go about that?

Tags (3)
0 Karma
Reply

ftk
Motivator
‎06-25-2010 05:59 PM

Take a look at routing and filtering: http://www.splunk.com/base/Documentation/latest/admin/Routeandfilterdata

You will need a transforms.conf stanza to define what events to ignore and a props.conf stanza to define which sourcetype to apply it to.

You can ignore data by routing it to the nullQueue. In transforms.conf:

[routeInfoToNull]
REGEX=(?m)^Type=Information
DEST_KEY=queue
FORMAT=nullQueue

This will set up everything that comes in to match that REGEX (in this case Type=Information on a newline) to go to the nullQueue (basically /dev/null).

Now apply this transforms to your event logs as such in props.conf:

[WinEventLog:System]
TRANSFORMS-SystemInfoToNull = routeInfoToNull

Not that if you're pulling via WMI you will have to apply this to the [wmi] sourcetype. If you want to route data from additional event logs just add more stanzas to props.conf.

Reply

ftk
Motivator
‎06-25-2010 06:04 PM

An afterthought: There are lots of interesting events logged as informational on Windows that you might want to actually index. Service startup type changes, service start/stop events, Windows update installs come to mind.

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎06-25-2010 04:32 PM

It sounds like you want to tune the windows inputs for the forwarding system. See the following link for more guidance:

http://www.splunk.com/base/Documentation/latest/Admin/ConsiderationsfordecidinghowtomonitorWindowsda...

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...