Hi,
I have an HFW and indexer in my environment. I'm looking to filter certain events from the log source in HFW based on REGEX while indexing in the indexer.
Please find below the config files. Not sure where I'm going wrong.
props.conf
[testing]
TRANSFORMS-routing = conGroup
inputs.conf
[monitor:///var/logs]
disabled = false
index = main
sourcetype =. testing
host = HFW
transforms.conf
[conGroup]
REGEX = ^(((?!i-)(?!sample)).)*$
DEST_KEY=_TCP_ROUTING
FORMAT=test
outputs.conf
[tcpout]
defaultGroup = nothing
[tcpout:test]
server = X.X.X.X:9997
Any help will be. much appreciated. Thanks in advance
Hi @rodneyjerome,
let me understand: do you want to send only a part of logs to Indexers or discard eventd?
Anyway the location of your filters is only the HF, On Indexers arrive already parsed events so it isn't possible filter them.
You can find the way to filter events at https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Forwarding/Routeandfilterdatad#Filter_eve...
Ciao.
Giuseppe
Hi @rodneyjerome,
let me understand: do you want to send only a part of logs to Indexers or discard eventd?
Anyway the location of your filters is only the HF, On Indexers arrive already parsed events so it isn't possible filter them.
You can find the way to filter events at https://docs.splunk.com/Documentation/SplunkCloud/8.1.2012/Forwarding/Routeandfilterdatad#Filter_eve...
Ciao.
Giuseppe
Thanks. This worked great!
Hi @rodneyjerome,
On your props.conf TRANSFORM is pointing to wrong stanza.
Please try this;
[testing]
TRANSFORMS-routing = conGroup