I can't quite find a way to block this particular event from being indexed. Blacklisting doesn't seem to be an option and the transforms regex method is just a little over my head in this scenario.. here is the event below. This one event generates over a million events a week and is killing my license. I need to block it until the issue is resolved and it is taking a while to nail it down.
LogName=Application
SourceName=SlxSearchTrigger
EventCode=4
EventType=2
Type=Error
ComputerName=Example-SLX
TaskCategory=None
OpCode=None
RecordNumber=237604
Keywords=Classic
Message=Execute Method: Recordset not returned from Trigger_Params
If what you listed is the raw log text (not field names with values) then you can do something like this on your Indexers:
[PutYourSourcetypeHere]
TRANSFORMS-license_killers = recordset_not_returned
###transforms.conf
[recordset_not_returned]
REGEX = (?m)^Message=Execute Method: Recordset not returned from Trigger_Params$
DEST_KEY = queue
FORMAT = nullQueue
If what you listed is the raw log text (not field names with values) then you can do something like this on your Indexers:
[PutYourSourcetypeHere]
TRANSFORMS-license_killers = recordset_not_returned
###transforms.conf
[recordset_not_returned]
REGEX = (?m)^Message=Execute Method: Recordset not returned from Trigger_Params$
DEST_KEY = queue
FORMAT = nullQueue
Thanks!. I'll give it a shot today.
Once I finally realized this was for the indexer, not the forwarders, I got it working. Thanks! I had been thinking we had to prevent the data from even going to the indexer. This seems to be doing the trick, as I have stopped the events from showing up in search - and also it appears the license consumption has gone down some.. not as much as expected, but it is better!