Hello :
What I have to set in inputs.conf or outputs.conf of the forwarder so that I can send selective portion of the application log file to indexer. At present our setup forwards the whole log file - which we don't need and this is hurting the network performance also.
Thanks
Somnath
Take a look at the following in the manual
Perform selective indexing and forwarding
You can filter the data in two different places:
The syntax and configuration files are exactly the same in either case - it is simply a matter of where you put them.
Example: Assume that the data you want to filter is in a file named big.log. (Note that in real life, you would have to provide the full path.)
You want to eliminate any lines that have the word INFO or WARN.
In the configuration file $SPLUNK_HOME\etc\system\local\props.conf
[source::big.log]
TRANSFORMS-t1 = filterEvents
In the configuration file $SPLUNK_HOME\etc\system\local\transforms.conf
[filterEvents]
REGEX = (?:INFO|WARN)
DEST_KEY = queue
FORMAT = nullQueue
Take a look at the following in the manual
Perform selective indexing and forwarding
You can filter the data in two different places:
The syntax and configuration files are exactly the same in either case - it is simply a matter of where you put them.
Thanks a lot.
Probably we would go with the heavy forwarder. I looked into your attached document - couldn't figure out the configuration for selective event forwarding. Can you please provide a sample configuration file ?