Solved: Heavy forward filter in udp port

chengyu · ‎05-26-2014

Hi, i use heavy forward setting data input port:514 and index=abcd after setting Forwarding and receiving » Forward data "192.168.1.128:19997", i'm try heavy filter.

step.1
props.conf
[source::udp:514]
TRANSFORMS-null= setnull

step.2
[setnull]
REGEX=REGEX=[.FGT60C3G13010319.]
DEST_KEY=queue
FORMAT=nullQueue

step.3
restart splunk forward host

my raw data:
May 26 15:16:41 192.168.1.99 date=2014-05-26 time=15:16:43 devid=FGT60C3G13010319 ...
can't filter
May 26 15:16:41 192.168.1.99 date=2014-05-26 time=15:16:43 devid= ...

chengyu · ‎05-26-2014

I'm resolve, i'm re-modify props.conf and clear transforms.conf

props.conf
[source::udp:514]
SEDCMD-nodeviceid = s/\sdevid=\w+\s/ /g

transforms.conf
(null)

restart splunk forward process.

success..^ ^

View solution in original post

chengyu · ‎05-26-2014

I'm resolve, i'm re-modify props.conf and clear transforms.conf

props.conf
[source::udp:514]
SEDCMD-nodeviceid = s/\sdevid=\w+\s/ /g

transforms.conf
(null)

restart splunk forward process.

success..^ ^

Heavy forward filter in udp port

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor