Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to not index certain messages from splunkd on the fwd servers

brent_weaver
Builder
‎12-18-2015 09:07 AM

I am trying to minimize the amount of apps I have by putting paths into inputs.conf that may or may not exist on all hosts in the serverclass. I am getting a ton of the following:

12-18-2015 16:58:33.907 +0000 WARN  FilesystemChangeWatcher - error getting attributes of path "e:\Directory": The device is not ready.

I realize that this is legit, but how can I make it so Splunk does not index these events?

0 Karma
Reply

brent_weaver
Builder
‎12-21-2015 08:30 AM

Thank you all! I looked for this category in log.cfg and could not find it. Do I add it?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎12-21-2015 12:23 PM

you can add it.

[splunkd]
category.FileInputTracker=ERROR

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎12-19-2015 08:49 AM

Another solution is to tune your log level to stop recording those "WARN" events for the category "FilesystemChangeWatcher"

on the forwarder, take a look at $SPLUNK_HOME/etc/log.cfg
change the log level for FilesystemChangeWatcher to "ERROR" and restart to apply
see http://docs.splunk.com/Documentation/Splunk/6.3.1511/AdvancedDev/ModInputsLog

Reply

the_wolverine
Champion
‎12-18-2015 10:55 AM

You can drop these events at the indexer during parsing (before they are indexed) or use a heavy forwarder to parse the events out before sending to your indexer:

https://answers.splunk.com/answers/111257/universal-forwarder-nullqueue.html

0 Karma
Reply

brent_weaver
Builder
‎12-23-2015 07:36 AM

Thank you for the response, i set this up and it is not working. I think I have the REGEX field wrong.

Props.conf:

[splunkd]
TRANSFORMS = nullMon

Transforms.conf:

[nullMon]
REGEX = .*FilesystemChangeWatcher.*
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...