Hi,
I need to import a log file in to Splunk however I want to exclude a certain type of entry. The entry to be ignored begins with:
2019-07-03 10:46:10.259 WARN 8944 ---
The only change to this is the date / time stamp. The log entries I want to index begin with:
2019-07-03 10:46:10.208 INFO 8944 ---
and
2019-07-02 13:23:03.194 ERROR 8944 ---
I have tried to implement this using props and transform however it continues to index everything. I've tried a few different options for this and nothing is working as required.
Currently I have the following:
props.conf
[my_log]
MAX_EVENTS = 100000
TRANSFORMS-null = setnull,setparsing
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = (?i)(ERROR|INFO)
DEST_KEY = queue
FORMAT = indexQueue
Can anyone point me in the right direction?
Thanks in advance.
... View more