Splunk newbie question, I think.
We have a medium-sized heterogeneous (in terms of OS) environment. We are getting non-errors reported with the "nix_errors" eventtype and also the "nix-log-files" eventtype, though the log files are actually on a Windows server. These eventtypes are defined from the "Splunk for Unix and Linux" App.
The "nix_errors" eventtype is defined as:
NOT sourcetype=stash error OR critical OR failure OR fail OR failed OR fatal
What's the proper way for me to handle this? Suppressing the eventtype throws out too much.
Change the definition of the eventtypes in the Manager? (Will my changes be lost on an upgrade?) I think I would add an os_type tag and then reference that in the eventtypes.
um .... leave it as is?
Better option that I'm not aware of?
I don't want to uninstall the App. It's useful elsewhere.
... View more