Hi!
I am faced with the following problem. I need to filter the logs that I receive from the source. I get the logs via Heavy-Forwarder, using the following config:
inputs.conf
[udp://4514]
index=mylogs
sourcetype = mylogs:leef
Before writing regex I tried the following configuration:
props.conf
[mylogs:leef]
TRANSFORMS-null= setnull_mylogs
transoforms.conf
[setnull_mylogs]
REGEX= .
DEST_KEY=queue
FORMAT=nullQueue
But it is not working, I still receiving all events in indexes. This conf files store in <heavy_folder>/etc/apps/<app_name>/local. May be I need to use another stanza name in props, but I tried [source::udp://4514] and it is not working. Any ideas? My goal than to write a few regex and receive only useful logs from this source. Thank you.
Hi
Probably you missed :port part from your input? Without : it doesn’t parse that input correctly. You could see e.g. https://community.splunk.com/t5/Getting-Data-In/udp-portnumber-Event-Blacklist-How-do-I-prevent-unwa...
You have typo on transforms.conf name on your examples, but probably it’s correct on your HF? And you have restarted it after modify those configurations?
r. Ismo