I am trying to minimize the amount of apps I have by putting paths into inputs.conf that may or may not exist on all hosts in the serverclass. I am getting a ton of the following:
12-18-2015 16:58:33.907 +0000 WARN FilesystemChangeWatcher - error getting attributes of path "e:\Directory": The device is not ready.
I realize that this is legit, but how can I make it so Splunk does not index these events?
Thank you all! I looked for this category in log.cfg and could not find it. Do I add it?
you can add it.
[splunkd]
category.FileInputTracker=ERROR
Another solution is to tune your log level to stop recording those "WARN" events for the category "FilesystemChangeWatcher"
on the forwarder, take a look at $SPLUNK_HOME/etc/log.cfg
change the log level for FilesystemChangeWatcher to "ERROR" and restart to apply
see http://docs.splunk.com/Documentation/Splunk/6.3.1511/AdvancedDev/ModInputsLog
You can drop these events at the indexer during parsing (before they are indexed) or use a heavy forwarder to parse the events out before sending to your indexer:
https://answers.splunk.com/answers/111257/universal-forwarder-nullqueue.html
Thank you for the response, i set this up and it is not working. I think I have the REGEX field wrong.
Props.conf:
[splunkd]
TRANSFORMS = nullMon
Transforms.conf:
[nullMon]
REGEX = .*FilesystemChangeWatcher.*
DEST_KEY = queue
FORMAT = nullQueue