Hello there,
i got a Catalina log and i don't want to index lines that contains one of that word: API PROXY, WARN, ERROR
After that i want to aggregate some lines.
I'm using a Single instance deployment of Splunk7.1.
Can someone help me to delete the log lines?
Thanks
Don't you forget to modify your props.conf and restart splunk?
i've modified props.conf and restart but it still doesnt work
If you want to filter the captured logs, use "nullQueue".
Filter event data and send to queues
http://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad
I tried with this transforms.conf file
[setnull]
REGEX = API PROXY|WARN|ERROR
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
but it doesn't work
How is this done?
[setnull]
REGEX = (API PROXY|WARN|ERROR)
DEST_KEY = queue
FORMAT = nullQueue
Hello, try some solutions from this post:
https://answers.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk.html