I am trying to minimize noise level (across WAN) by splunk to greatest degree possible..
With review of index=_internal source=splunkd, I see that each of my universal forwarders is forwarding lines from splunkd.log. This log file is very noisy with most components logging INFO level events by default. I want to change most of the logging levels to >= WARN.
I know this can be done by manually altering logging levels in .etclog.cfg. Does anyone have any experience managing this configuration as a deployment-app? I imagine it would be possible with deployment of a script to execute line changes.. Is this a bad idea?
inputs appreciated.