I am looking to filter my syslog traffic before it gets indexed by splunk as we are getting a fair bit of fluff from our esxi hosts.
This is what I have setup so far, and it doesnt appear to be working....it may be an error on my regex, I'm hoping not haha.
-props.conf-
[source::SyslogVMware] TRANSFORMS-null = setnull
-transforms.conf-
[setnull] REGEX = [hostd] DEST_KEY = queue FORMAT = nullQueue
I am hoping to remove all alerts recieved from hostd before being indexed, but this doesnt appear to filter anything and i'm hoping I can get a quick pointer in the right direction.
Thanks!
Type your custom source correctly and this issue wont be a problem. 😉
Ends up the initial regex Hostd: wasn't actually working because Vpxa was being so chatty I didnt notice any Hostd logs, upon further filtering the search I noticed Hostd was sending logs. Looked at my custom source name and I was using the Sourcetype name and not the Source name.
Figured out a bit....my regex didnt need [hostd].
I made my REGEX = Hostd:
and this worked, I am not working on the or command which should be a pipe...arent the conf files using perl regexes?