I don't have a lot of disk space on my indexers. I know that i can reduce the amount of logging and number of metrics.log files created by manipulating the appenders section of log.cfg, but the following messages still get logged far too frequently:
-0400 INFO StatusMgr - sourcePort=XXXX, ssl=nnnnnn, statusee=TcpInputProcessor
Apparently these get logged constantly, and although they help when a connection is lost, I honestly don't need to see them as long as everything is working fine. How can I reduce just this specific message type (INFO StatusMgr), or eliminate it altogether, and thereby save on disk space?
From
Manager>System Settings>System Logging>StatusMgr set the level to 'warn'.
That should eliminate the 'info' messages on a temporary basis.
For a permanent solution try a nullQueue:
I don't have any of the log entries you posted, but I was able to remove index entries that can be found with this search:
index=_internal | rex field=_raw ".*\s(?<infometrixs>INFO\s+Metrics).*$" | search infometrixs="INFO Metrics"
Once the following edits are made to the system/local/props.conf and transforms.conf you should see the above search start to produce no-more-results from the time of splunkd restart.
Props.conf
[splunkd]
TRANSFORMS-StatusMgr = setmetrixnull
Transforms.conf
[setmetrixnull]
REGEX = (?msi).*\sINFO\s+Metrics.*$
DEST_KEY = queue
FORMAT = nullQueue
In your case, if your post is accurate, you should change
REGEX = (?msi).*\sINFO\s+Metrics.*$
To
REGEX = (?msi).*\sINFO\s+StatusMgr.*$
5.0.5, actually. Thanks
Which version of Splunk are you using?
But what if, by eliminating all INFO messages in metrics.log, I'll be missing something else that I might have wanted to see? I really want to know if its possible to get more granular than that, to eliminate JUST these specific messages:
-0400 INFO StatusMgr - sourcePort=XXXX, ssl=nnnnnn, statusee=TcpInputProcessor
That is only temporary, according to the documentation, the best place to make this change is in log.cfg or log-local.cfg. So if I set the logging level to WARN, then that is the lowest level of log message importance that I'll see in metrics.log and Splunkd.log for this component? If that's so, it sure would help to have this spelled out plainly in the documentation....