I configured the Advanced Logging log files on a Server to forwarder to Splunk.
This is the structure of the log files:
But I want that it only forwarder the states different to 200. (Status <> 200). Someone knows, How can I do it?
Regards
HI,
you can blacklist your input on forwarder side.
Try something like:
inputs.conf
[monitor://<your_path>]
blacklist = regex
sourcetype = your sourcetype
index = your index
How does your log look like? maybe you can set the regex to status=200 that could be it.
Hi dkeck, Thank you for your help,
I tried to make your suggestion, but it doesn't work.
I investigated and the black list in this way is for the file name, but the row that I don't want to forwarder is inside of the file , something like that
This is the W3C structure
This is the field
"HOMEHOME" 2019-02-14 22:56:35.416 2019-02-14 16:56:35.416 GET /home/Mobile.WebSite/api/breeze/ - 99.99.9.999 200 0 224