Hello everyone!
I'm using the Splunk OpenTelemetry collector to send logs from k8s to Splunk through HEC input. It's running as DaemonSet.
The collector is deployed via Helm Chart: https://github.com/signalfx/splunk-otel-collector-chart
I would like to exclude logs with specific string, for example: "Connection reset by peer", but cannot find the configuration that would be able to do that. It looks like the processors can do that:
https://opentelemetry.io/docs/collector/configuration/#processors
And also there is a default configuration for opentelemetry in the chart, but I cannot understand how to add filter to it:
Has anyone encountered such issue or do you have any advices for this case?
Thank you @d_kazakov for response.
I was looking for solution like if a log entry contains a specific string, then that entire log entry should be excluded to push to Splunk indexer.
Let me check if this solution work in that case or need to alert it.
In this case, you can update filters like this:
gateway:
enabled: true
resources:
requests:
cpu: 100m
memory: 500Mi
limits: memory: 500Mi
replicaCount: 1
config:
processors:
filter/filter:
logs:
log_record:
- 'IsMatch(body, ".*bot.*") == false'
service:
pipelines:
logs:
processors:
- filter/filter
This way, when data is coming to the gateway it will be filtered an all log entries with "bot" in the body will be removed.
BTW, previous configuration also must be under gateway
I am also looking for something like this. Does anyone tried to do this and is that worked?
Hey, dhimanv!
I've managed to achieve it. Splunk OnDemand request assisted with this issue. So there are a couple of options, but in my case, these filters worked to cut some fields in the JSON body to decrease the amount of GB we ingest: