Hi,
I have spent last 2 hours searching for this simple scenario on Splunk Answers, without any luck.
Here is the case.
Requirement : Just want to index events which contains the string "[ERROR ]", in my indexer.
Any help will be greatly appreciated.
Setup those type of filters at the indexer level :
You can use a rule based on the sourcetype, and a matching regex based on the event.
You can test your regex on sample events with the "rex" command in splunk before to make sure.
For the new events, all of them are getting indexed including the one contains "Error".
I have restarted the Splunk on my local machine.
This looked correct, What is the current behavior when you index new events :
did you restarted the indexers to apply the change ?
Thanks yannK. I have changed the regular expression as per your point 1. No change in the result.
My props/transforms are in the following directory : C:\Program Files\Splunk\etc\system\local
Does that makes them on indexers.
Appreciate your help.
1- [ and ] are regex keyword, you should escape them
REGEX = \[ERROR\]
2- make sure that those props/transforms are on the indexers (not on universal or lightweight forwarders only)
Based on the article, I set the following files as shown, but still not getting the filtered log.
[MyVacationLog]
TRANSFORMS-set= myvacnull,myvacparsing
[myvacnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[myvacparsing]
REGEX = [ERROR]
DEST_KEY = queue
FORMAT = indexQueue