I'm trying to filter logs with the 'version' word, and send them to the nullQueue.
First of all, i'm using the UniversalForwarder and Splunk Cloud sandbox, i tried to do this by using the config files,
Something like this,
props.conf
[default]
TRANSFORMS-null = setnull
transforms.conf
[setnull]
REGEX = version
DEST_KEY = queue
FORMAT = nullQueue
But it didn't workout, then i read that with Splunk Cloud you need to do these configurations using the GUI.
It's quite confusing how to do this, every documentation is about the Enterprise Version.
I've tried to create a Field Transformation with this options:
regex = version
SourceKey = _raw
format = queue::nullQueue
But again, it doesn't work.
Any Ideas? Thanks.
... View more