I setup splunk heavy forwarder and splunk indexer.
I want to filter some event before indexed on splunk indexer.
*** Example log, i want to filter
2011-02-05 00:02:00,018 INFO [Cron_SendFaxNTF] - <BEGIN Send Notification Fax...>
2011-02-05 00:02:00,034 INFO [Cron_SendFaxNTF] - <BEGIN Send Notifications...>
I try to config both indexer and forwarder but not work!!!
*** props.conf
[iCIS_log]
TRANSFORMS-icisLog = icisLog-null
*** transforms.conf
[icisLog-null]
REGEX = ^\d+-\d+-\d+\s\d+:\d+:\d+,\d+\sINFO.*
DEST_KEY = queue
FORMAT = nullQueue
Help me please !!!!
In your inputs.conf, do you have your monitor set to the correct sourcetype (iCIS_log
)?
Possibly tune your REGEX as such: ^\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2},\d{3}\s+INFO
Yes, I monitor sourcetype "iCIS log" and try to config both indexer and forwarder
I'll test with your regex. And i'll update result later.