Hi,
we try around with Splunk (first contact). We to prof what we can log from HDS Storages.
System report via Port 11101 UDP:
As an example what we dont need.
"Jan 18 11:44:23 SYSXX Jan 18 11:44:27 SVP Storage: CELFSS,1.1,410713,,2017-01-18T11:44:27.1+01:00,Storage,SVP,Authentication,Success,uid=lalalal({COMPONENT-POLLER}:DvM_Srv),R800:XXXXX,,SYSXX_Auditlog,,,,from=10.135.XXX.XXX,,,,384397,BasicLog,,,RMI AP,167,,[BASE],Logout,,Normal end,Seq.=0000384397"
these messages are coming (varies) in 1-5 minutes with similia content. All what we get with "POLLER" shoudl be not sorted in...ist useless for us.
Copy props.conf to *system/local and add at the end:
[source::udp:11101]
TRANSFORMS-null= setnull
copy transforms and add at the end.
[setnull]
REGEX = [/POLLER]
DEST_KEY = queue
FORMAT = nullQueue
But that did not work. All of the messages are coming in. I guess i made a failure in REGEX or in Brain 1.0...not sure.
where is my fault?
regards
... View more