Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I remove the lines with INFO or WARN from logging to Splunk?

nls7010
Path Finder
‎03-04-2019 08:28 AM

I want to NOT ingest the events that have INFO or WARN in them. Can I use the following in the Props.conf without anything in the transforms.conf? And, of course will it work?

[type1-logs]

SEDCMD-removeINFO =s/INFO .+//g

[type2-logs]

SEDCMD-removeWARN =s/WARN .+//g
0 Karma
Reply

damann
Communicator
‎03-04-2019 08:46 AM

You can use the nullqueue for this purpose:

You need a TRANSFORMS-removeINFO and TRANSFORMS-removeWARN in props.conf:

[type1-logs]
TRANSFORMS-removeINFO = setnullinfo

[type2-logs]
TRANSFORMS-removeWARN = setnullwarn

and in your transforms.conf you need to set the DEST_KEY to queue and FORMAT to nullQueue:

[setnullinfo]
REGEX = INFO\w
DEST_KEY = queue
FORMAT = nullQueue

[setnullwarn]
REGEX = WARN\w
DEST_KEY = queue
FORMAT = nullQueue

Look out for more informations about routing and filtering data in the docs:
https://docs.splunk.com/Documentation/Splunk/7.2.4/Forwarding/Routeandfilterdatad#Filter_event_data_...

0 Karma
Reply

nickhills
Ultra Champion
‎03-04-2019 08:38 AM

in transforms.conf you need something like this:

[drop_info_warn]
 REGEX = (INFO|WARN)
 DEST_KEY = queue
 FORMAT = nullQueue

then in props.conf you need

[type1-logs]
TRANSFORMS-drop = drop_info_warn

[type2-logs]
TRANSFORMS-drop = drop_info_warn

I am making the assumption that type1-logs, and type2-logs are two different sourcetypes you wish to exclude these events from. If its only one type of log, then you only need to include one such stanza.

To add some context to SEDCMD - this allows you to amend/replace text as the data is indexed, it won't allow you to 'drop' it.
This means that you could mark all the INFO/WARN lines as blank, but you're still going to index them and:
a.) This is almost certainly NOT what you want
b.) You will still be paying to index them (licence usage/disk etc)

By using props AND transforms, you prevent Splunk ever processing (indexing) events which contain these log levels, and I suspect this is what you really want.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...