Re: Filter data on indexer or heavy forwarder?

rjfv8205 · ‎08-20-2019

Hello, actually we don't have heavy forwarder instance.

Is it possible filter events in indexer when recieve data from UF's? How much performance affect?

ktn01 · ‎08-20-2019

Example to drop events that do not contain $LOG$:

prop.conf

 [source_event]
 TRUNCATE = 15000
 TRANSFORMS-filter = event_drop,event_take

transforms.conf

[event_drop]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[event_take]
REGEX = \$\$LOGS\$\$
DEST_KEY = queue
FORMAT = indexQueue

Hope it help

Christian

rjfv8205 · ‎08-20-2019

Thanks for your answer. My other question is how much performance affect if filter events directly on indexer?

Filter data on indexer or heavy forwarder?