We have a nagios instance set up so that using MK-Livestatus and splunk, we are able to push all of nagios’s alerts through livestatus’s socket thanks to a call from splunk.
However, splunk is now receiving data which when someone uses the application to search through its events is getting its fair share of “OK” states of events. We want to be able to remove these excess events so they do not come up when someone is searching the logs within Splunk. The most obvious solution in this case is to adjust the search index when using Splunk to dig through logs. However, this is unacceptable in the face of the end user who is not as knowledgeable and does not have the time and resources to educate themselves in depth on splunk.
That being said, we need to have a way to dump these excess logs through some type of filters. This may include configuration of nagios, livestatus, and/or splunk or an installation of a new software to do this, but I am at a loss at what would be most effective or works to the best of my knowledge.
Answer
Obviously you can exclude things from a search but you don’t want to do that but you can’t remove entries once the data has been indexed – but you can use props to exclude entries from being forwarded to the indexers thought this requires an intermediary forwarder if you’re ‘client’ data isn’t being sent from a splunk forwarder of some type (i.e. it’s just sending syslog or similar).
Attribution
Source : Link , Question Author : Jouster500 , Answer Author : Chopper3
