Disabling type "Informational" with splunk for win...

nbennett · ‎06-25-2010

I have a linux indexer. I forward with the light forwarder from about 200 windows boxes.

On the indexer I don't want it to index type=informational.

How does one go about that?

ftk · ‎06-25-2010

Take a look at routing and filtering: http://www.splunk.com/base/Documentation/latest/admin/Routeandfilterdata

You will need a transforms.conf stanza to define what events to ignore and a props.conf stanza to define which sourcetype to apply it to.

You can ignore data by routing it to the nullQueue. In transforms.conf:

[routeInfoToNull]
REGEX=(?m)^Type=Information
DEST_KEY=queue
FORMAT=nullQueue

This will set up everything that comes in to match that REGEX (in this case Type=Information on a newline) to go to the nullQueue (basically /dev/null).

Now apply this transforms to your event logs as such in props.conf:

[WinEventLog:System]
TRANSFORMS-SystemInfoToNull = routeInfoToNull

Not that if you're pulling via WMI you will have to apply this to the [wmi] sourcetype. If you want to route data from additional event logs just add more stanzas to props.conf.

ftk · ‎06-25-2010

An afterthought: There are lots of interesting events logged as informational on Windows that you might want to actually index. Service startup type changes, service start/stop events, Windows update installs come to mind.

Simeon · ‎06-25-2010

It sounds like you want to tune the windows inputs for the forwarding system. See the following link for more guidance:

http://www.splunk.com/base/Documentation/latest/Admin/ConsiderationsfordecidinghowtomonitorWindowsda...

Disabling type "Informational" with splunk for windows

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes