- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to filter or blacklist all event type/level "i...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to filter or blacklist all event type/level "information" on Splunk 6.5.0?
I would like to filter/blacklist all event type/level "information" on Splunk 6.5.0, i am using wmi to collect logs from my servers. I am not sure if we blacklist them on \etc\system\default\inputs.conf or \etc\system\local\inputs.conf
I am not sure about the syntax I need to use since i am new to Splunk. i am not using forwarder to collect events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello.. basically I would like to index all errors and warning and discard the rest. At the moment I am ONLY able to index errors and everything else is discarded, I would now want to index errors and warning.
what I have that is working for errors only
Props
[WMI:WinEventLog:Application]
TRANSFORMS-evtlog = nullQueue, errorOnly
Transforms.conf
[nullQueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
[errorOnly]
REGEX=Error
DEST_KEY=queue
FORMAT=indexQueue
what I have tried for windows errors and warnings but does not works
[props]
[WMI:WinEventLog:Application]
TRANSFORMS-evtlog = nullQueue, errorOnly, warningOnly
[transforms]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
[errorOnly]
REGEX=Error
DEST_KEY=queue
FORMAT=indexQueue
[warningOnly]
REGEX=Warning
DEST_KEY=queue
FORMAT=indexQueue
your help will be greatly appreciated...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@citosysadmin - Were you able to test out paulstout's solution? Did it work? If yes, please don't forget to resolve this post by clicking on "Accept". If you still need more help, please provide a comment with some feedback. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this works excellent for indexing errors and discarding everything else
Props
[WMI:WinEventLog:Application]
TRANSFORMS-evtlog = nullQueue, errorOnly
Transforms
[nullQueue]
REGEX=.
DEST_KEY=queue
FORMAT=nullQueue
[errorOnly]
REGEX=Error
DEST_KEY=queue
FORMAT=indexQueue
else but now I would like to index errors and warning. I have tried the below but its not working as how I want.
[props]
[WMI:WinEventLog:Application]
TRANSFORMS-evtlog = nullQueue, errorOnly, warningOnly
[transforms]
[nullQueue]
REGEX= .
DEST_KEY=queue
FORMAT=nullQueue
[errorOnly]
REGEX=Error
DEST_KEY=queue
FORMAT=indexQueue
[warningOnly]
REGEX=Warning
DEST_KEY=queue
FORMAT=indexQueue
Perhaps I am doing something wrong.
Your help will be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you're asking do to sounds a lot like this question:
https://answers.splunk.com/answers/11617/route-unwanted-logs-to-a-null-queue.html
You'd want to use this REGEX in transforms.conf:
REGEX=Type=Information
That should filter for the WinEventLog:* sourcetypes
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
