topic Re: How to configure a heavy forwarder to filter out data before sending logs to the indexer? in Getting Data In

How to configure a heavy forwarder to filter out data before sending logs to the indexer?

mehhos — Tue, 21 Oct 2014 09:21:05 GMT

Hi,
I like to filter out "%ASA-4-106023" before sending log to splunk indexer, Below are my config:

inputs.conf
[monitor:///var/log/]

outputs.conf:
[tcpout]
defaultGroup = splunk-indexer.dax.net_9090
disabled = false

                [tcpout:splunk-indexer.dax.net_9090]
                server = <ip_to_splunk-indexer>:9090

                [tcpout-server://<ip_to_splunk-indexer>:9090]

props.conf
[source::

Re: How to configure a heavy forwarder to filter out data before sending logs to the indexer?

mehhos — Tue, 21 Oct 2014 10:02:24 GMT

I try again:

inputs.conf

                 [monitor:///var/log/]

outputs.com

                 [tcpout]
                 defaultGroup = splunk-indexer.dax.net_9090
                 disabled = false

                 [tcpout:splunk-indexer.dax.net_9090]
                 server = 89.254.127.19:9090

                 [tcpout-server://89.254.127.19:9090]

props.conf

                [source::</var/log]
                TRANSFORMS-FilterEvent = Test1

transforms.conf

                [Test1]
                REGEX = *106023*
                DEST_KEY = queue
                FORMAT = nullQueue

Re: How to configure a heavy forwarder to filter out data before sending logs to the indexer?

sowings — Tue, 21 Oct 2014 17:26:12 GMT

I'd just have the Test1 rule look like this:

[Test1]
REGEX = %ASA-4-106023
DEST_KEY = queue
FORMAT = nullQueue

Wildcards aren't necessary for this particular filtration, and in fact, the bare * is confusing, it's intended to "repeat 0 or more of the prior character".