Hi Splunker,
I am using splunkforwarder 6.5 on windows 2k8 servers. I am monitoring a log file, from splunk.
I have modified inputs.conf at Universal Forwarder.
The size of the file that i am monitoring is 130mb, out of which my useful data is of somewhere around 20Mb.
Can i restrict the unwanted data?
I have list of keywords, for which log event is required and to be indexed.
Is it possible to do the same at Universal Fowarder level?
TIA
Hi òsarvesh_11,
you can filter your logs on Indexers or (if present) on Heavy Forwarders.
The instructions to filter events are at https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_...
As you can read, you can:
The job to do is to find one or more regex to filter your data.
Only one hint: put attention to your architecture, because the props.conf and transforms.conf files to filter events must be located on:
Ciao.
Giuseppe
Hi òsarvesh_11,
you can filter your logs on Indexers or (if present) on Heavy Forwarders.
The instructions to filter events are at https://docs.splunk.com/Documentation/Splunk/8.0.3/Forwarding/Routeandfilterdatad#Filter_event_data_...
As you can read, you can:
The job to do is to find one or more regex to filter your data.
Only one hint: put attention to your architecture, because the props.conf and transforms.conf files to filter events must be located on:
Ciao.
Giuseppe
Hi @gcusello ,
Yeah i am clear about indexer and/or Heavy forwarder, i was checking if we can place props.conf and transforms.conf at Universal Forwarder.
To filter out the logs at forwarder level only.
Because i ready mixed views for this.
Thanks,
Hi @sarvesh_11,
at Universal Forwarders level, you can filter events only from Windows eventlogs, as you can see at https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#WINDOWS_INPUTS:
Ciao.
Giuseppe