Getting Data In

how can I sift out TRACE and DEBUG entries so that splunk doesn't index them when pulling other data from monitored logs at clients?

msantich
Path Finder

Hello,
our splunkforwarders are configured to pull in certain logs from various clients with a "[monitor://]" entry in the inputs.conf file on each client.

there is still on-going development work on these clients and the developers routinely set log levels to TRACE or DEBUG. these entries are required in the log, but we do not need them in splunk and they are causing our license volume to be exceeded.

how can I amend the stanzas for these monitored logs to prevent the TRACE and DEBUG entries from being routed to the indexer while allowing all other entries to continue to be processed?

while I find information at the following: http://docs.splunk.com/Documentation/Splunk/6.1.3/Forwarding/Routeandfilterdatad#Keep_specific_event...

it is not clear to me if I am to update the props.conf and transforms.conf at our heavy forwarders, or on our indexer to accomplish the filtering.

thanks so much

thanks so much.

Michael.

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

Splunk already has instructions for doing something very much like this in the Route and Filter Data page.

You don't provide all the details, but assuming you set a sourcetype = st in inputs.conf on that input, you should be able to put into your props.conf (or add to existing stanzas, if they're already there):

[st]
TRANSFORMS-null = setnull

In transforms.conf you will need something like

[setnull]
REGEX = (TRACE|DEBUG)
DEST_KEY = queue
FORMAT = nullQueue

I THINK. Test first with rex in a search, you have to match your OWN events and match them explicitly, so you'll probably need to tweak that a bit and add more context into the REGEX. We can help with that too, just need some samples of good events and each type of bad event. Regex101.com can help a lot too, it's amazing.

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

Splunk already has instructions for doing something very much like this in the Route and Filter Data page.

You don't provide all the details, but assuming you set a sourcetype = st in inputs.conf on that input, you should be able to put into your props.conf (or add to existing stanzas, if they're already there):

[st]
TRANSFORMS-null = setnull

In transforms.conf you will need something like

[setnull]
REGEX = (TRACE|DEBUG)
DEST_KEY = queue
FORMAT = nullQueue

I THINK. Test first with rex in a search, you have to match your OWN events and match them explicitly, so you'll probably need to tweak that a bit and add more context into the REGEX. We can help with that too, just need some samples of good events and each type of bad event. Regex101.com can help a lot too, it's amazing.

0 Karma

msantich
Path Finder

thank you Rich7177

the inputs.conf files with the "monitor:///" stanza are in the splunkforwarder configs on each client. then in each LAN (of many LANs) we have heavy forwarders which all ultimately route data to a single indexer.....

given that scenario, am I to edit the props.conf and transforms.conf on my heavy forwarders or on my indexer?

thanks so much.

0 Karma

sundareshr
Legend

Here's a great article on this topic. Your changes to props.conf AND transforms.conf need to go on the Heavy Forwarder in your environment.

http://networkerslog.blogspot.com/2012/01/how-to-filter-unwanted-data-without.html

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...