I have these types of logs coming into Splunk today from 3 heavy forwarders (syslog servers) via inputs.conf apps I've deployed from a deployer.
Sep 27 07:11:08 hq1acptrvra1202.me.com ea_tomcat: env=ACPT profile=claymore Sep 27 07:11:08 hq1acptrvra1202.me.com ea_tomcat: env=ACPT profile=claymore (nmon) CMD (/etc/nmon-logger/bin/nmon_helper.sh /etc/nmon-logger /var/log/nmon-logger >> /var/log/nmon-logger/nmon_collect.log 2>&1)
I want to send all events with "nmon" in them to the Null Queue. I created an app to send out props/tranforms to the Heavy Forwarders and for consistency I sent the same to our cluster of indexers. Logs are still coming in. What are we missing?
Source:
/vcaclog/ACPT/broker-fad-api/hq1acptrvra0775.me.com/ea_tomcat.log
everything segment after /vcaclog/ can be dynamic.
props.conf
[source::/vcaclog/*]
TRANSFORMS-null= setnull-test
transforms.conf
[setnull-test]
REGEX = (?m)(nmon)
DEST_KEY = queue
FORMAT = nullQueue
Try:
[source::/vcaclog/...]
*
doesn't match across /
characters in source.
Try:
[source::/vcaclog/...]
*
doesn't match across /
characters in source.
Thank you this worked!
Glad to hear that 🙂
Please mark the answer as accepted, so others can also quickly find this as the correct answer if they stumble upon the same question 🙂
so after /vcacalog/... I should have 3 dots?
Yes..
please refer this more info-
http://docs.splunk.com/Documentation/Splunk/7.1.3/Data/Specifyinputpathswithwildcards