Hi,
I only want to index files containing the string #! in the first 5 characters of the file.
Therefore, I created the following inputs.conf:
[monitor:pathname]
blacklist = (?i:archive|develop|data|backup|\.txt$|\.gz$|\.tar$|\.csv$|\.bck$|\.log$|\.old$|\d{6,})
disabled = false
host = script
index = abcindex
sourcetype = abcscript
Props.conf:
[abcscript]
TRANSFORMS-set= setnull,setparsing
Transforms.conf:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = (.{0,5}(#!))
DEST_KEY = queue
FORMAT = indexQueue
Based on http://docs.splunk.com/Documentation/Splunk/6.3.1/Forwarding/Routeandfilterdatad
Unfortunately, everything is indexed in the index "abcindex" at the moment, and not only files starting with #!
I also tried it with a dummy string in a dummy file, but again, everything is indexed.
Rebooted Splunk after changing config files.
Any idea what goes wrong here?
Using Splunk 6.3.1 at the moment.
Thanks
... View more