How to not index certain messages from splunkd on ...

brent_weaver · ‎12-18-2015

I am trying to minimize the amount of apps I have by putting paths into inputs.conf that may or may not exist on all hosts in the serverclass. I am getting a ton of the following:

12-18-2015 16:58:33.907 +0000 WARN  FilesystemChangeWatcher - error getting attributes of path "e:\Directory": The device is not ready.

I realize that this is legit, but how can I make it so Splunk does not index these events?

brent_weaver · ‎12-21-2015

Thank you all! I looked for this category in log.cfg and could not find it. Do I add it?

yannK · ‎12-21-2015

you can add it.

[splunkd]
category.FileInputTracker=ERROR

yannK · ‎12-19-2015

Another solution is to tune your log level to stop recording those "WARN" events for the category "FilesystemChangeWatcher"

on the forwarder, take a look at $SPLUNK_HOME/etc/log.cfg
change the log level for FilesystemChangeWatcher to "ERROR" and restart to apply
see http://docs.splunk.com/Documentation/Splunk/6.3.1511/AdvancedDev/ModInputsLog

the_wolverine · ‎12-18-2015

You can drop these events at the indexer during parsing (before they are indexed) or use a heavy forwarder to parse the events out before sending to your indexer:

https://answers.splunk.com/answers/111257/universal-forwarder-nullqueue.html

brent_weaver · ‎12-23-2015

Thank you for the response, i set this up and it is not working. I think I have the REGEX field wrong.

Props.conf:

[splunkd]
TRANSFORMS = nullMon

Transforms.conf:

[nullMon]
REGEX = .*FilesystemChangeWatcher.*
DEST_KEY = queue
FORMAT = nullQueue

How to not index certain messages from splunkd on the fwd servers

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms