Getting Data In
Highlighted

how can I sift out TRACE and DEBUG entries so that splunk doesn't index them when pulling other data from monitored logs at clients?

Path Finder

Hello,
our splunkforwarders are configured to pull in certain logs from various clients with a "[monitor://]" entry in the inputs.conf file on each client.

there is still on-going development work on these clients and the developers routinely set log levels to TRACE or DEBUG. these entries are required in the log, but we do not need them in splunk and they are causing our license volume to be exceeded.

how can I amend the stanzas for these monitored logs to prevent the TRACE and DEBUG entries from being routed to the indexer while allowing all other entries to continue to be processed?

while I find information at the following: http://docs.splunk.com/Documentation/Splunk/6.1.3/Forwarding/Routeandfilterdatad#Keep_specific_event...

it is not clear to me if I am to update the props.conf and transforms.conf at our heavy forwarders, or on our indexer to accomplish the filtering.

thanks so much

thanks so much.

Michael.

0 Karma
Highlighted

Re: how can I sift out TRACE and DEBUG entries so that splunk doesn't index them when pulling other data from monitored logs at clients?

Legend

Here's a great article on this topic. Your changes to props.conf AND transforms.conf need to go on the Heavy Forwarder in your environment.

http://networkerslog.blogspot.com/2012/01/how-to-filter-unwanted-data-without.html

0 Karma
Highlighted

Re: how can I sift out TRACE and DEBUG entries so that splunk doesn't index them when pulling other data from monitored logs at clients?

SplunkTrust
SplunkTrust

Splunk already has instructions for doing something very much like this in the Route and Filter Data page.

You don't provide all the details, but assuming you set a sourcetype = st in inputs.conf on that input, you should be able to put into your props.conf (or add to existing stanzas, if they're already there):

[st]
TRANSFORMS-null = setnull

In transforms.conf you will need something like

[setnull]
REGEX = (TRACE|DEBUG)
DEST_KEY = queue
FORMAT = nullQueue

I THINK. Test first with rex in a search, you have to match your OWN events and match them explicitly, so you'll probably need to tweak that a bit and add more context into the REGEX. We can help with that too, just need some samples of good events and each type of bad event. Regex101.com can help a lot too, it's amazing.

View solution in original post

0 Karma
Highlighted

Re: how can I sift out TRACE and DEBUG entries so that splunk doesn't index them when pulling other data from monitored logs at clients?

Path Finder

thank you Rich7177

the inputs.conf files with the "monitor:///" stanza are in the splunkforwarder configs on each client. then in each LAN (of many LANs) we have heavy forwarders which all ultimately route data to a single indexer.....

given that scenario, am I to edit the props.conf and transforms.conf on my heavy forwarders or on my indexer?

thanks so much.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.