Hello,
our splunkforwarders are configured to pull in certain logs from various clients with a "[monitor://]" entry in the inputs.conf file on each client.
there is still on-going development work on these clients and the developers routinely set log levels to TRACE or DEBUG. these entries are required in the log, but we do not need them in splunk and they are causing our license volume to be exceeded.
how can I amend the stanzas for these monitored logs to prevent the TRACE and DEBUG entries from being routed to the indexer while allowing all other entries to continue to be processed?
while I find information at the following: http://docs.splunk.com/Documentation/Splunk/6.1.3/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest
it is not clear to me if I am to update the props.conf and transforms.conf at our heavy forwarders, or on our indexer to accomplish the filtering.
thanks so much
thanks so much.
Michael.
↧