Getting Data In

Log.cfg - reduce frequency of INFO StatusMgr messages in metrics.log due to disk space

gsawyer1
Engager

I don't have a lot of disk space on my indexers. I know that i can reduce the amount of logging and number of metrics.log files created by manipulating the appenders section of log.cfg, but the following messages still get logged far too frequently:

-0400 INFO StatusMgr - sourcePort=XXXX, ssl=nnnnnn, statusee=TcpInputProcessor

Apparently these get logged constantly, and although they help when a connection is lost, I honestly don't need to see them as long as everything is working fine. How can I reduce just this specific message type (INFO StatusMgr), or eliminate it altogether, and thereby save on disk space?

Tags (3)
0 Karma

lukejadamec
Super Champion

From

Manager>System Settings>System Logging>StatusMgr set the level to 'warn'.

That should eliminate the 'info' messages on a temporary basis.

For a permanent solution try a nullQueue:

I don't have any of the log entries you posted, but I was able to remove index entries that can be found with this search:

index=_internal | rex field=_raw ".*\s(?<infometrixs>INFO\s+Metrics).*$" | search infometrixs="INFO  Metrics"

Once the following edits are made to the system/local/props.conf and transforms.conf you should see the above search start to produce no-more-results from the time of splunkd restart.

Props.conf

[splunkd]
TRANSFORMS-StatusMgr = setmetrixnull

Transforms.conf

[setmetrixnull]
REGEX = (?msi).*\sINFO\s+Metrics.*$
DEST_KEY = queue
FORMAT = nullQueue

In your case, if your post is accurate, you should change

REGEX = (?msi).*\sINFO\s+Metrics.*$

To

REGEX = (?msi).*\sINFO\s+StatusMgr.*$

gsawyer1
Engager

5.0.5, actually. Thanks

0 Karma

lukejadamec
Super Champion

Which version of Splunk are you using?

0 Karma

gsawyer1
Engager

But what if, by eliminating all INFO messages in metrics.log, I'll be missing something else that I might have wanted to see? I really want to know if its possible to get more granular than that, to eliminate JUST these specific messages:

-0400 INFO StatusMgr - sourcePort=XXXX, ssl=nnnnnn, statusee=TcpInputProcessor

0 Karma

gsawyer1
Engager

That is only temporary, according to the documentation, the best place to make this change is in log.cfg or log-local.cfg. So if I set the logging level to WARN, then that is the lowest level of log message importance that I'll see in metrics.log and Splunkd.log for this component? If that's so, it sure would help to have this spelled out plainly in the documentation....

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...