Getting Data In

how to filter event logs by type?

Engager

I've setup up event log monitoring on a few machines. I don't need to index and monitor anything but warnings and errors... These account for a tiny amount of what I'm indexing now. I know I can use black/whitelist for file names, but I haven't figured out how to ignore events by type. Is this possible? I imagine someone else is in a similar situation....

0 Karma

Splunk Employee
Splunk Employee

You can use a nullQueue filter to filter at index time on the indexers. Based on a regex over the events.

see http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Discard_specific_e...

for WinEventLog, you can use whitelist/blacklist on the EventCode on the forwarders
see http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdata#Create_advanced_filters_w...

Engager

these are helpful... I've read through them both. What I'm trying to do is not burn space saving a million "information events" instead of warnings and errors... I see I can filter by event code, but that list is too long reaching to black/white list it all... If I can pull the data and see the type in it's own field, you'd think I could actually filter by type?

0 Karma