How to not index certain messages from splunkd on ...

brent_weaver · ‎12-18-2015

I am trying to minimize the amount of apps I have by putting paths into inputs.conf that may or may not exist on all hosts in the serverclass. I am getting a ton of the following:

12-18-2015 16:58:33.907 +0000 WARN  FilesystemChangeWatcher - error getting attributes of path "e:\Directory": The device is not ready.

I realize that this is legit, but how can I make it so Splunk does not index these events?

brent_weaver · ‎12-21-2015

Thank you all! I looked for this category in log.cfg and could not find it. Do I add it?

yannK · ‎12-21-2015

you can add it.

[splunkd]
category.FileInputTracker=ERROR

yannK · ‎12-19-2015

Another solution is to tune your log level to stop recording those "WARN" events for the category "FilesystemChangeWatcher"

on the forwarder, take a look at $SPLUNK_HOME/etc/log.cfg
change the log level for FilesystemChangeWatcher to "ERROR" and restart to apply
see http://docs.splunk.com/Documentation/Splunk/6.3.1511/AdvancedDev/ModInputsLog

the_wolverine · ‎12-18-2015

You can drop these events at the indexer during parsing (before they are indexed) or use a heavy forwarder to parse the events out before sending to your indexer:

https://answers.splunk.com/answers/111257/universal-forwarder-nullqueue.html

brent_weaver · ‎12-23-2015

Thank you for the response, i set this up and it is not working. I think I have the REGEX field wrong.

Props.conf:

[splunkd]
TRANSFORMS = nullMon

Transforms.conf:

[nullMon]
REGEX = .*FilesystemChangeWatcher.*
DEST_KEY = queue
FORMAT = nullQueue

How to not index certain messages from splunkd on the fwd servers

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!