Hi
We are looking at Splunk as way to log specific activities on our website.
I think in writing this, I see what i am missing, but cannot figure out where to place it.
From our webserver, we have a universal forwarder sending access_log to Splunk index, "newweb"
I have system/local/transforms.conf with 3 stanzas like - you will see i have attempted two different versions of filtering - the string patterns in the REGEX are parts of URLs we are interested in...
Currently, no requests are being filtered. We want only those urls in the two setparsing stanzas to make it into the index.
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing1]
REGEX = GET\s/about/people/cord_thomas
DEST_KEY = queue
FORMAT = indexQueue
[setparsing2]
REGEX = about/history/company_at_a_glance
DEST_KEY = queue
FORMAT = indexQueue
I have system/local/props.conf with a single stanza:
[apache_log]
TRANSFORMS-set=setnull,setparsing1, setparsing
I see that in no way am I telling splunk to apply the transforms to my index, newweb. Where might i do that?
Thank you
... View more