Getting Data In

Log.cfg - reduce frequency of INFO StatusMgr messages in metrics.log due to disk space

gsawyer1
Engager

I don't have a lot of disk space on my indexers. I know that i can reduce the amount of logging and number of metrics.log files created by manipulating the appenders section of log.cfg, but the following messages still get logged far too frequently:

-0400 INFO StatusMgr - sourcePort=XXXX, ssl=nnnnnn, statusee=TcpInputProcessor

Apparently these get logged constantly, and although they help when a connection is lost, I honestly don't need to see them as long as everything is working fine. How can I reduce just this specific message type (INFO StatusMgr), or eliminate it altogether, and thereby save on disk space?

Tags (3)
0 Karma

lukejadamec
Super Champion

From

Manager>System Settings>System Logging>StatusMgr set the level to 'warn'.

That should eliminate the 'info' messages on a temporary basis.

For a permanent solution try a nullQueue:

I don't have any of the log entries you posted, but I was able to remove index entries that can be found with this search:

index=_internal | rex field=_raw ".*\s(?<infometrixs>INFO\s+Metrics).*$" | search infometrixs="INFO  Metrics"

Once the following edits are made to the system/local/props.conf and transforms.conf you should see the above search start to produce no-more-results from the time of splunkd restart.

Props.conf

[splunkd]
TRANSFORMS-StatusMgr = setmetrixnull

Transforms.conf

[setmetrixnull]
REGEX = (?msi).*\sINFO\s+Metrics.*$
DEST_KEY = queue
FORMAT = nullQueue

In your case, if your post is accurate, you should change

REGEX = (?msi).*\sINFO\s+Metrics.*$

To

REGEX = (?msi).*\sINFO\s+StatusMgr.*$

gsawyer1
Engager

5.0.5, actually. Thanks

0 Karma

lukejadamec
Super Champion

Which version of Splunk are you using?

0 Karma

gsawyer1
Engager

But what if, by eliminating all INFO messages in metrics.log, I'll be missing something else that I might have wanted to see? I really want to know if its possible to get more granular than that, to eliminate JUST these specific messages:

-0400 INFO StatusMgr - sourcePort=XXXX, ssl=nnnnnn, statusee=TcpInputProcessor

0 Karma

gsawyer1
Engager

That is only temporary, according to the documentation, the best place to make this change is in log.cfg or log-local.cfg. So if I set the logging level to WARN, then that is the lowest level of log message importance that I'll see in metrics.log and Splunkd.log for this component? If that's so, it sure would help to have this spelled out plainly in the documentation....

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...