Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to exclude/ignore writing an error to splunkd.log

nareshinsvu
Builder
‎09-29-2019 09:51 PM

Hi,

Is there a way to tell splunk not to write a particular error message to splunkd.log?

I am getting hit by below error continuously and I can't fix JSON inputs which are coming from external source.

My splunkd.log has only these lines and nothing else.

09-30-2019 14:45:25.717 +1000 ERROR JsonLineBreaker - JSON StreamId:10924785040871047960 had parsing error:Unexpected character: '-' - .......................

My props.conf is like

[my_json]
SEDCMD-strip_prefix = s/^[^{]+//g
INDEXED_EXTRACTIONS=JSON
NO_BINARY_CHECK = true
category = Custom
description = my_json_custom
disabled = false
pulldown_type = true
DATETIME_CONFIG = CURRENT
TRUNCATE = 100000
MAX_EVENTS = 10000
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-29-2019 11:57 PM

Hi nareshinsvu,
if you want, you can filter events before indexing (see https://docs.splunk.com/Documentation/Splunk/7.3.1/Forwarding/Routeandfilterdatad ) but why you want this?
I think that all the information can be useful to debug a problem when needed, if you want to exclude them fron your searches use a NOT clause in yout search so you can exclude them!

Anyway to filter these events, you can use something like this:
In props.conf

[my_json]
TRANSFORMS-null= setnull

In transforms.conf

[setnull]
REGEX = ERROR JsonLineBreaker - JSON StreamId:\d+ had parsing error:Unexpected character
DEST_KEY = queue
FORMAT = nullQueue

If instead you want to exclude these events from your searches, see something like this:

your_search NOT ("ERROR JsonLineBreaker - JSON StreamId:" "had parsing error:Unexpected character")
| ...

Bye.
Giuseppe

0 Karma
Reply

nareshinsvu
Builder
‎09-30-2019 12:10 AM

Hi Giuseppe,

You got my question wrong. Below is my splunkd.log file on forwarders. Not the source file content being indexed

I am getting these lines in the splunk logs while indexing JSON data (from my source data which is a mix of JSON and non-JSON). I am successfully getting my JSON data indexed. But my splunkd.log is continuously filled with these lines which I want to avoid.

09-30-2019 14:45:25.717 +1000 ERROR JsonLineBreaker - JSON StreamId:10924785040871047960 had parsing error:Unexpected character: '-' - .......................
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...