Archive

Heavy forward filter in udp port

Path Finder

Hi, i use heavy forward setting data input port:514 and index=abcd after setting Forwarding and receiving » Forward data "192.168.1.128:19997", i'm try heavy filter.

step.1
props.conf
[source::udp:514]
TRANSFORMS-null= setnull

step.2
[setnull]
REGEX=REGEX=[.FGT60C3G13010319.]
DEST_KEY=queue
FORMAT=nullQueue

step.3
restart splunk forward host

my raw data:
May 26 15:16:41 192.168.1.99 date=2014-05-26 time=15:16:43 devid=FGT60C3G13010319 ...
can't filter
May 26 15:16:41 192.168.1.99 date=2014-05-26 time=15:16:43 devid= ...

Tags (2)
0 Karma
1 Solution

Path Finder

I'm resolve, i'm re-modify props.conf and clear transforms.conf

props.conf
[source::udp:514]
SEDCMD-nodeviceid = s/\sdevid=\w+\s/ /g

transforms.conf
(null)

restart splunk forward process.

success..^ ^

View solution in original post

0 Karma

Path Finder

I'm resolve, i'm re-modify props.conf and clear transforms.conf

props.conf
[source::udp:514]
SEDCMD-nodeviceid = s/\sdevid=\w+\s/ /g

transforms.conf
(null)

restart splunk forward process.

success..^ ^

View solution in original post

0 Karma