All Apps and Add-ons

change input.conf

Path Finder

Hi!
input.conf in Splunk-TA-Window
this default
"[WinEventLog://System]
disabled = 0
startfrom = oldest
current
only = 0
checkpointInterval = 5
index = wineventlog
renderXml=false"

I just want to get log error. how do i change it!

0 Karma

Communicator

You need to write props.conf and transforms.conf when you want to filter any data.

In your case you need construct your props.conf like below.

[sourcetype]
TRANSFORMS-set =setnull, Error

transforms.conf

[setnull] --------------------------------------this is direct all the unwanted data to null queue. (Same as dev/null for linux)
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[Error] ---------------------- It will filter all the events which have ERROR keyword in them and redirect them to your index
REGEX = ERROR
DEST_KEY = queue
FORMAT = indexQueue

0 Karma

SplunkTrust
SplunkTrust
0 Karma

Path Finder

thank! you

0 Karma

SplunkTrust
SplunkTrust

hey @vumanhtai

does this help you?

0 Karma