Is it possible to disable logging on the Cisco eSt...

responsys_cm · ‎12-09-2016

The eStreamer input generates like 300 MB of log files per day. Is there any way to disable that logging?

gcusello · ‎12-10-2016

Hi responsys_cm,
to disable eStreamer input, you have to disable Splunk inputs for this App, there are two ways:

You can do it by web interface [Settings -- Inputs], find eStreamer inpus and disable them;
modify $SPLUNK_HOME/etc/apps/eStreamer/local/inputs.conf, inserting "disabled=1" where "disabled=0" and restart Splunk, if this file doesn't exist, copy it from SPLUNK_HOME/etc/apps/eStreamer/default.

If you receive also logs using syslog, remember to disable this in your CISCO interface.

Bye.
Giuseppe

responsys_cm · ‎12-10-2016

My goal isn't to disable the input. The input generates log files on its operations as well as indexing data from FireSIGHT. I want the FireSIGHT data, but not the hundreds of megs of the inputs operational logs...

gcusello · ‎12-10-2016

you have to chose the logs you want to discard, find the correct regex and then filter your data using the regex:
(http://docs.splunk.com/Documentation/Splunk/6.5.1/Forwarding/Routeandfilterdatad)
props.conf

 [your_sourcetype]
 TRANSFORMS-null= setnull

transforms.conf

 [setnull]
 REGEX = your_regex
 DEST_KEY = queue
 FORMAT = nullQueue

and restart Splunk

bye.
Giuseppe

responsys_cm · ‎12-11-2016

These logs aren't being ingested by Splunk. They are logs that the eStreamer script generates. They consume hundreds of megs a day.

gcusello · ‎12-11-2016

Sorry, I don't know eStreamer and i don't know how to disable log!
Bye.
Giuseppe

Is it possible to disable logging on the Cisco eStreamer for Splunk app?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life