Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you exclude all lines with INFO or WARN from being indexed?

nls7010
Path Finder
‎02-28-2019 07:54 AM

I have been reading through a lot of the previous answers to exclusion, but none match what I need. I need to exclude all INFO and WARN lines from one of my indexes, so that they are never processed. Only the ERROR lines should be processed.

I have this so far, but I'm not certain of a couple of things. One what should I have in the props file to complete it and two, do I need the in the transforms.conf file:

PROPS.CONF

TRANSFORMS-set = setnull, setparsing

TRANSFORMS.CONF

<code>[setnull]
REGEX = INFO, WARN
DEST_KEY = queue
FORMAT = nullQueue
</code>
0 Karma
Reply

nls7010
Path Finder
‎02-28-2019 11:22 AM

we have clustered indexers and I pushed it our via the cluster master. I believe it's supposed to restart them all

0 Karma
Reply

lakshman239
Influencer
‎02-28-2019 08:01 AM

You need configs in both props.conf and transforms.conf. The following sends events with only ERROR to your indexer.

PROPS.CONF
[your_sourcetype]
TRANSFORMS-set = setnull, setparsing

TRANSFORMS.CONF

[setnull] 
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue 

[setparsing]
REGEX = ERROR
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Reply

nls7010
Path Finder
‎02-28-2019 09:16 AM

So, If I'm understanding this correctly, I would do something like the following:
PROPS.CONF

[value1-logs]
TRANSFORMS-set = setnull, setparsing

[value2-logs]
TRANSFORMS-set = setnull, setparsing

TRANSFORMS.CONF

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = ERROR
DEST_KEY = queue
FORMAT = indexQueue

So that only lines with ERROR will show?

0 Karma
Reply

lakshman239
Influencer
‎02-28-2019 09:18 AM

yes correct

0 Karma
Reply

nls7010
Path Finder
‎02-28-2019 10:57 AM

quick question. the FORMAT key, should that be the name of the actual index in the transforms.conf file? Or it that literal? Asking because I still see the WARN and INFO logs coming in after pushing out the following:
[my1-logs]
TRANSFORMS-set = setnull, setparsing

[my2-logs]
TRANSFORMS-set = setnull, setparsing

TRANSFORMS.CONF

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = ERROR
DEST_KEY = queue
FORMAT = indexQueue

0 Karma
Reply

nls7010
Path Finder
‎03-01-2019 06:44 AM

I just realized I asked that comment on the wrong value. It's the REGEX= . Is that supposed to have a value of INFO,WARN?

0 Karma
Reply

lakshman239
Influencer
‎03-01-2019 07:16 AM

what do you want? do you want INFO and WARN OR ERROR? you can adjust them as per your needs.

# This sends all events to be ignored
[setnull] 
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

# this says ignore all events, except the ones containing ERROR
[setparsing]
REGEX = ERROR
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Reply

nls7010
Path Finder
‎03-01-2019 07:31 AM

ok, I understand, so now I'll need to work with the client to see if everything is getting to the forwarders as needed. I did verify that the props and transform files did make it to all the indexers and the indexer cluster members were all restarted.

0 Karma
Reply

nls7010
Path Finder
‎03-01-2019 07:29 AM

I just want the ERROR lines. So I would want to eliminate INFO, WARN, etc that are not ERROR related.

0 Karma
Reply

lakshman239
Influencer
‎02-28-2019 11:10 AM

its a literal. Did you restart your indexer after the changes?

0 Karma
Reply

nls7010
Path Finder
‎03-01-2019 06:27 AM

Yes, I did a rolling restart, but am still seeing INFO and WARN which I wanted to block out and only get ERROR.

0 Karma
Reply

lakshman239
Influencer
‎03-01-2019 06:46 AM

can you test the config in your dev with the above config?

0 Karma
Reply

nls7010
Path Finder
‎03-01-2019 07:02 AM

I am testing in my development environment and I get the same issue. Nothing gets parched out, it's all still coming into the logs. I will be working with my client in a little while to ensure the props and transforms made it to the servers (they are containers).

0 Karma
Reply

nls7010
Path Finder
‎02-28-2019 01:43 PM

They have all been restarted, but it's still sending the INFO and WARN messages 😞

0 Karma
Reply

nls7010
Path Finder
‎02-28-2019 07:57 AM

There were some code lines surrounding the transforms lines, those were what I was asking about

0 Karma
Reply

nls7010
Path Finder
‎02-28-2019 08:08 AM

What if there are multiple source types? I wanted to exclude those lines for the entire index which was created for this customer and they have multiple sourcetypes.

0 Karma
Reply

lakshman239
Influencer
‎02-28-2019 08:21 AM

for each sourcetype, you need to have the same settings

[your_sourcetype1]
TRANSFORMS-set = setnull, setparsing

[your_souretype2]
TRANSFORMS-set = setnull, setparsing

However, you just need one setting for transforms, as provided earlier.

After updating, you need to restart your indexer, so any new data will have these filtering applied.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...