Hi,
I had enabled Perfmon:Process and WinNetMon events in the universal forwarders on all windows servers. However, these started sending huge number of events which is eating up my indexing license. I would like to filter out these events at the indexer until we go upgrade the license in another six months or so.
sourcetype = Perfmon:Process
sourcetype = WinNetMon
I created filtering option in props.conf and transforms.conf for filtering out events. I was successful in filtering out the WinNetMon. However Perfmon:Process events are still appearing in search.
Not sure where I'm getting this wrong. Setup: All windows windows servers have a UF which is sending events to Indexer. I'm not having access to windows servers hence my only option is to filter out events at indexer level. Please help
props.conf
[WinNetMon]
TRANSFORMS-winnetmon__nullqueue = WinNetMon_to_null
[perfmonProcess]
TRANSFORMS-Perfmon_nullqueue = Perfmon_to_null
transforms.conf
[WinNetMon_to_null]
SOURCE_KEY = MetaData:Sourcetype
REGEX = WinNetMon
DEST_KEY = queue
FORMAT = nullQueue
[Perfmon_to_null]
SOURCE_KEY = MetaData:Sourcetype
REGEX = Perfmon
DEST_KEY = queue
FORMAT = nullQueue
Hi ramesh_babu71, You'll have to set the name of the sourcetype in your props stanza to Perfmon:Process
. Currently you have perfmonProcess
, which won't line up with the sourcetype you want to filter out.
Additionally, since this is a very focused transforms staza, you can have the regex be more liberal, and set it to something like (.)
to have it match any event.
Please let me know if this answers your question! 😄
Hi ramesh_babu71, You'll have to set the name of the sourcetype in your props stanza to Perfmon:Process
. Currently you have perfmonProcess
, which won't line up with the sourcetype you want to filter out.
Additionally, since this is a very focused transforms staza, you can have the regex be more liberal, and set it to something like (.)
to have it match any event.
Please let me know if this answers your question! 😄
Thanks that worked. 🙂