Security

Forward only WARN OR ERROR log lines to splunk

vivek991985
New Member

Hi Team,

Need your expert advise on how can I configure my logstash.conf file to forward only the ERROR OR WARN log lines to Splunk. I have done some online research that a grok filter or wrapping the output with if condition can be used in order the acheive the required result.

I would appreciate if you could share a working example on the same. Many thanks!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vivek991985,
the logging level doesn't depend on Splunk, it depends on the source, so maybe you should ask to a logstash forum.

Anyway, you can filter in Splunk the not interesting logs following the steps described at https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_... .

Ciao.
Giuseppe

0 Karma

vivek991985
New Member

Thanks very much Giuseppe for your help! Noted.

0 Karma

vivek991985
New Member

I do not want to delete it at Splunk side.

I prefer not to send the data with INFO OR DEBUG logging levels to Splunk, therefore, looking forward to getting some clean solution to implement it.

Please advise how logstash.conf should be updated to achieve the required result.

Thanks!

0 Karma

to4kawa
Ultra Champion
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...