Hi,
I like to filter out "%ASA-4-106023" before sending log to splunk indexer, Below are my config:
inputs.conf
[monitor:///var/log/]
outputs.conf:
[tcpout]
defaultGroup = splunk-indexer.dax.net_9090
disabled = false
[tcpout:splunk-indexer.dax.net_9090]
server = <ip_to_splunk-indexer>:9090
[tcpout-server://<ip_to_splunk-indexer>:9090]
props.conf
[source::
I'd just have the Test1 rule look like this:
[Test1] REGEX = %ASA-4-106023 DEST_KEY = queue FORMAT = nullQueue
Wildcards aren't necessary for this particular filtration, and in fact, the bare * is confusing, it's intended to "repeat 0 or more of the prior character".
I try again:
inputs.conf
[monitor:///var/log/]
outputs.com
[tcpout]
defaultGroup = splunk-indexer.dax.net_9090
disabled = false
[tcpout:splunk-indexer.dax.net_9090]
server = 89.254.127.19:9090
[tcpout-server://89.254.127.19:9090]
props.conf
[source::</var/log]
TRANSFORMS-FilterEvent = Test1
transforms.conf
[Test1]
REGEX = *106023*
DEST_KEY = queue
FORMAT = nullQueue