I am looking to filter my syslog traffic before it gets indexed by splunk as we are getting a fair bit of fluff from our esxi hosts.
This is what I have setup so far, and it doesnt appear to be working....it may be an error on my regex, I'm hoping not haha.
-props.conf-
[source::SyslogVMware]
TRANSFORMS-null = setnull
-transforms.conf-
[setnull]
REGEX = [hostd]
DEST_KEY = queue
FORMAT = nullQueue
I am hoping to remove all alerts recieved from hostd before being indexed, but this doesnt appear to filter anything and i'm hoping I can get a quick pointer in the right direction.
Thanks!
... View more