Hello,
our splunkforwarders are configured to pull in certain logs from various clients with a "[monitor://]" entry in the inputs.conf file on each client.
there is still on-going development work on these clients and the developers routinely set log levels to TRACE or DEBUG. these entries are required in the log, but we do not need them in splunk and they are causing our license volume to be exceeded.
how can I amend the stanzas for these monitored logs to prevent the TRACE and DEBUG entries from being routed to the indexer while allowing all other entries to continue to be processed?
while I find information at the following: http://docs.splunk.com/Documentation/Splunk/6.1.3/Forwarding/Routeandfilterdatad#Keep_specific_event...
it is not clear to me if I am to update the props.conf and transforms.conf at our heavy forwarders, or on our indexer to accomplish the filtering.
thanks so much
thanks so much.
Michael.
 
		
		
		
		
		
	
			
		
		
			
					
		Splunk already has instructions for doing something very much like this in the Route and Filter Data page.
You don't provide all the details, but assuming you set a sourcetype = st in inputs.conf on that input, you should be able to put into your props.conf (or add to existing stanzas, if they're already there):
[st]
TRANSFORMS-null = setnull
In transforms.conf you will need something like
[setnull]
REGEX = (TRACE|DEBUG)
DEST_KEY = queue
FORMAT = nullQueue
I THINK.  Test first with rex in a search, you have to match your OWN events and match them explicitly, so you'll probably need to tweak that a bit and add more context into the REGEX.  We can help with that too, just need some samples of good events and each type of bad event.  Regex101.com can help a lot too, it's amazing.
 
		
		
		
		
		
	
			
		
		
			
					
		Splunk already has instructions for doing something very much like this in the Route and Filter Data page.
You don't provide all the details, but assuming you set a sourcetype = st in inputs.conf on that input, you should be able to put into your props.conf (or add to existing stanzas, if they're already there):
[st]
TRANSFORMS-null = setnull
In transforms.conf you will need something like
[setnull]
REGEX = (TRACE|DEBUG)
DEST_KEY = queue
FORMAT = nullQueue
I THINK.  Test first with rex in a search, you have to match your OWN events and match them explicitly, so you'll probably need to tweak that a bit and add more context into the REGEX.  We can help with that too, just need some samples of good events and each type of bad event.  Regex101.com can help a lot too, it's amazing.
thank you Rich7177
the inputs.conf files with the "monitor:///" stanza are in the splunkforwarder configs on each client. then in each LAN (of many LANs) we have heavy forwarders which all ultimately route data to a single indexer.....
given that scenario, am I to edit the props.conf and transforms.conf on my heavy forwarders or on my indexer?
thanks so much.
 
					
				
		
Here's a great article on this topic. Your changes to props.conf AND transforms.conf need to go on the Heavy Forwarder in your environment.
http://networkerslog.blogspot.com/2012/01/how-to-filter-unwanted-data-without.html
