Hi
Is there a option to ingest the logs of only one process from the windows servers ignoring rest of the events?
Hi Kiran,
Yes it's possible to do while ingesting the data.
Configure the event-level transformations on the indexer.
Note pattern will be your windows process
transforms.conf
[eventsRoute]
REGEX= (? pattern)
DEST_KEY = _MetaData:Index
FORMAT = <index1>
[eventsDrop]
REGEX = (?! pattern)
DEST_KEY = queue
FORMAT = nullQueue
props.conf
[Yoursourcetype]
TRANSFORMS-‐neglect = eventsDrop
TRANSFORMS-‐ingest = eventsRoute
Regards,
Mahesh
... with the small note that the pattern for eventsDrop could be .*
, to send EVERYTHING to the nullQueue unless it was later overridden by matching the pattern for eventsRoute.