Hello,
I have a test script that writes out hello_d01 to hello_d10 every 5 seconds... for instance:
16:04:14.36 hello_d01
16:04:14.36 hello_d02
16:04:14.36 hello_d03
16:04:14.36 hello_d04
16:04:14.36 hello_d05
16:04:14.36 hello_d06
16:04:14.36 hello_d07
16:04:14.36 hello_d08
16:04:14.36 hello_d09
16:04:14.36 hello_d10
A splunk forwarder is setup to feed this log file to the indexer.
On the indexer, I have the following props.conf and transforms.conf, and I only want to keep the hello_d03 and hello_d04 events:
props.conf
[source::c:\\a\\]
TRANSFORMS-set=sco_setnull,sco_setparsing
transforms.conf
[sco_setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[sco_setparsing]
REGEX = (hello_d03|hello_d04)
DEST_KEY = queue
FORMAT = indexQueue
Upon splunkd restart, I'm still seeing all hello_d01 to hello_d10 events as if there were no props.conf and transforms.conf.
What am I missing please?
Thanks.
Cheers,
Jack
... View more