change input.conf

vumanhtai · ‎12-12-2017

Hi!
input.conf in Splunk-TA-Window
this default
"[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false"

I just want to get log error. how do i change it!

sandyIscream · ‎12-13-2017

You need to write props.conf and transforms.conf when you want to filter any data.

In your case you need construct your props.conf like below.

[sourcetype]
TRANSFORMS-set =setnull, Error

transforms.conf

[setnull] --------------------------------------this is direct all the unwanted data to null queue. (Same as dev/null for linux)
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[Error] ---------------------- It will filter all the events which have ERROR keyword in them and redirect them to your index
REGEX = ERROR
DEST_KEY = queue
FORMAT = indexQueue

mayurr98 · ‎12-12-2017

hey @vumanhtai

Refer this link
https://answers.splunk.com/answers/477356/how-to-only-index-events-that-contain-specific-fie.html

let me know if it helps!

vumanhtai · ‎12-13-2017

thank! you

mayurr98 · ‎12-13-2017

hey @vumanhtai

does this help you?

change input.conf

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

change input.conf

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine