Hello,
I've been spending the last month experimenting with Splunk. Lately, i've tried to reroute a specific event to the nullQueue, with the intention of preventing it from being indexed:
May 18 12:52:43 lnx-iadevopsnode2 kubelet: E0518 12:52:43.207579 4688 file.go:76] Unable to read manifest path "/etc/kubernetes/manifests": path does not exist, ignoring
Using the following props.conf :
[kubelet]
TRANSFORMS-manifest = setmanifestnull
and transforms.conf :
[setmanifestnull]
REGEX=(Unable to read)
DEST_KEY=queue
FORMAT=nullQueue
The default index is main. When i run a realtime search: index=main , the event still occurs. However, if i change the search to index=main sourcetype=kubelet the event does not occur.
Why could this be?
... View more