Hi there, Is there anyway on Splunk search peer or Forwarder to filter the data. Like log messages that contain DEBUG or INFO should be filtered before getting indexed in Splunk?
yes, many ways, starting with monitor filtering while and black listing and all the way to filtering an routing with props.conf and transforms.conf
https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Whitelistorblacklistspecificincomingdata
https://docs.splunk.com/Documentation/Splunk/7.3.0/Forwarding/Routeandfilterdatad
and some more specific to your use case answers: https://answers.splunk.com/answers/257216/how-to-filter-out-debug-logs-except-3-different-lo.html https://answers.splunk.com/answers/59370/filtering-events-using-nullqueue-1.html
hope it helps
View solution in original post
Depends on how you ingest docker logs, with the collectord you can annotate to drop some log lines, see https://www.outcoldsolutions.com/docs/monitoring-docker/v5/annotations/#example-2-dropping-messages
