Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you exclude all lines with INFO or WARN from being indexed?

nls7010
Path Finder
‎02-28-2019 07:54 AM

I have been reading through a lot of the previous answers to exclusion, but none match what I need. I need to exclude all INFO and WARN lines from one of my indexes, so that they are never processed. Only the ERROR lines should be processed.

I have this so far, but I'm not certain of a couple of things. One what should I have in the props file to complete it and two, do I need the in the transforms.conf file:

PROPS.CONF

TRANSFORMS-set = setnull, setparsing

TRANSFORMS.CONF

<code>[setnull]
REGEX = INFO, WARN
DEST_KEY = queue
FORMAT = nullQueue
</code>
0 Karma
Reply

nls7010
Path Finder
‎02-28-2019 11:22 AM

we have clustered indexers and I pushed it our via the cluster master. I believe it's supposed to restart them all

0 Karma
Reply

lakshman239
Influencer
‎02-28-2019 08:01 AM

You need configs in both props.conf and transforms.conf. The following sends events with only ERROR to your indexer.

PROPS.CONF
[your_sourcetype]
TRANSFORMS-set = setnull, setparsing

TRANSFORMS.CONF

[setnull] 
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue 

[setparsing]
REGEX = ERROR
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Reply

nls7010
Path Finder
‎02-28-2019 09:16 AM

So, If I'm understanding this correctly, I would do something like the following:
PROPS.CONF

[value1-logs]
TRANSFORMS-set = setnull, setparsing

[value2-logs]
TRANSFORMS-set = setnull, setparsing

TRANSFORMS.CONF

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = ERROR
DEST_KEY = queue
FORMAT = indexQueue

So that only lines with ERROR will show?

0 Karma
Reply

lakshman239
Influencer
‎02-28-2019 09:18 AM

yes correct

0 Karma
Reply

nls7010
Path Finder
‎02-28-2019 10:57 AM

quick question. the FORMAT key, should that be the name of the actual index in the transforms.conf file? Or it that literal? Asking because I still see the WARN and INFO logs coming in after pushing out the following:
[my1-logs]
TRANSFORMS-set = setnull, setparsing

[my2-logs]
TRANSFORMS-set = setnull, setparsing

TRANSFORMS.CONF

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = ERROR
DEST_KEY = queue
FORMAT = indexQueue

0 Karma
Reply

nls7010
Path Finder
‎03-01-2019 06:44 AM

I just realized I asked that comment on the wrong value. It's the REGEX= . Is that supposed to have a value of INFO,WARN?

0 Karma
Reply

lakshman239
Influencer
‎03-01-2019 07:16 AM

what do you want? do you want INFO and WARN OR ERROR? you can adjust them as per your needs.

# This sends all events to be ignored
[setnull] 
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

# this says ignore all events, except the ones containing ERROR
[setparsing]
REGEX = ERROR
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Reply

nls7010
Path Finder
‎03-01-2019 07:31 AM

ok, I understand, so now I'll need to work with the client to see if everything is getting to the forwarders as needed. I did verify that the props and transform files did make it to all the indexers and the indexer cluster members were all restarted.

0 Karma
Reply

nls7010
Path Finder
‎03-01-2019 07:29 AM

I just want the ERROR lines. So I would want to eliminate INFO, WARN, etc that are not ERROR related.

0 Karma
Reply

lakshman239
Influencer
‎02-28-2019 11:10 AM

its a literal. Did you restart your indexer after the changes?

0 Karma
Reply

nls7010
Path Finder
‎03-01-2019 06:27 AM

Yes, I did a rolling restart, but am still seeing INFO and WARN which I wanted to block out and only get ERROR.

0 Karma
Reply

lakshman239
Influencer
‎03-01-2019 06:46 AM

can you test the config in your dev with the above config?

0 Karma
Reply

nls7010
Path Finder
‎03-01-2019 07:02 AM

I am testing in my development environment and I get the same issue. Nothing gets parched out, it's all still coming into the logs. I will be working with my client in a little while to ensure the props and transforms made it to the servers (they are containers).

0 Karma
Reply

nls7010
Path Finder
‎02-28-2019 01:43 PM

They have all been restarted, but it's still sending the INFO and WARN messages 😞

0 Karma
Reply

nls7010
Path Finder
‎02-28-2019 07:57 AM

There were some code lines surrounding the transforms lines, those were what I was asking about

0 Karma
Reply

nls7010
Path Finder
‎02-28-2019 08:08 AM

What if there are multiple source types? I wanted to exclude those lines for the entire index which was created for this customer and they have multiple sourcetypes.

0 Karma
Reply

lakshman239
Influencer
‎02-28-2019 08:21 AM

for each sourcetype, you need to have the same settings

[your_sourcetype1]
TRANSFORMS-set = setnull, setparsing

[your_souretype2]
TRANSFORMS-set = setnull, setparsing

However, you just need one setting for transforms, as provided earlier.

After updating, you need to restart your indexer, so any new data will have these filtering applied.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...