I am trying to minimize the amount of apps I have by putting paths into inputs.conf that may or may not exist on all hosts in the serverclass. I am getting a ton of the following:
12-18-2015 16:58:33.907 +0000 WARN FilesystemChangeWatcher - error getting attributes of path "e:\Directory": The device is not ready.
I realize that this is legit, but how can I make it so Splunk does not index these events?
You can drop these events at the indexer during parsing (before they are indexed) or use a heavy forwarder to parse the events out before sending to your indexer:
Thank you for the response, i set this up and it is not working. I think I have the REGEX field wrong.
[splunkd] TRANSFORMS = nullMon
[nullMon] REGEX = .*FilesystemChangeWatcher.* DEST_KEY = queue FORMAT = nullQueue
Another solution is to tune your log level to stop recording those "WARN" events for the category "FilesystemChangeWatcher"
on the forwarder, take a look at $SPLUNK_HOME/etc/log.cfg
change the log level for FilesystemChangeWatcher to "ERROR" and restart to apply