In order to filter below data logs not to ingest into splunk.
%DOMAIN-2-IME:
%DOMAIN-2-IME_DETAILS:
%DOMAIN-5-TCA:
Following techniques followed but it didn't worked out
a)Using Regex expression in transform.conf as \%.*\: to filter all the above 3 domain in transform.conf file(heavy forwarder) even-though logs are ingesting into splunk. Like below
[elimatedomain_text]
REGEX=\%.*\:
DEST_KEY=queue
FORMAT=nullQueue
b)Using Hardcode values as below in transform.conf file doesn't worked out
REGEX = %DOMAIN-2-IME:
REGEX = %DOMAIN-2-IME_DETAILS:
REGEX = %DOMAIN-5-TCA:
Any other solution to black list in heavy forwarder.?
Hi,
Can you please provide props.conf configuration as well ?
Hi,
Thanks for your response. Awaiting your help.
Set1 try:
Props.conf:
TRANSFORMS-Set = discard_events, discard_events1, discard_events_2
================================================================================
Set2 try:
Props.conf:
[cisco:ios]
TRANSFORMS-t1=[elimatedomain_text]
Transform.conf:
[elimatedomain_text]
REGEX=\%.*\:
DEST_KEY=queue
FORMAT=nullQueue
In props.conf, there should be not square bracket in TRANSFORMS
It should be like
[cisco:ios]
TRANSFORMS-t1= elimatedomain_text