Hi.
I'm trying to apply a rule for dropping and, meanwhile, get only some events in Indexers.
Here we are,
props.conf
[mysourcetype]
TRANSFORMS-filter = drop
transforms.conf
[drop]
REGEX = drop_event1|drop_event2|drop_eventX
DEST_KEY = queue
FORMAT = nullQueue
This is the standard way for dropping. And it works!
But, at the same time, i can't get a way to make both work with drop and get transformation,
props.conf
[mysourcetype]
TRANSFORMS-filter = drop,filter
transforms.conf
[drop]
REGEX = drop_event1|drop_event2|drop_eventX
DEST_KEY = queue
FORMAT = nullQueue
[filter]
REGEX = get_event1|get_event2|get_eventX
DEST_KEY = queue
FORMAT = indexQueue
I would like to explain Splunk 8,
- FIRST: drop all events containing pattern regex "drop_event1|drop_event2|drop_eventX"
- SECOND: get only events containing pattern regex "get_event1|get_event2|get_eventX"
It does not work! Splunk, after correctly dropping, gets all (".*"), except as said "drop_event1|drop_event2|drop_eventX" 😪
Any suggestion?
