Here's the situation.
I have an equipement sending 2 kinds of events with UDP syslog to a splunk fowarder and then send it to a splunk server in TCP.
I would like to filter events on the splunk fowarder with the outputs.conf or inputs.conf files by gathering only 1 kind of log.
i'd see this is possible on the splunk server directly but i want to minimize the impact on the bandwidth and not sending useless logs for nothing.
Is there a way to do that via a regex or specific char on the event ?
basically no, Splunk do not have any appliances, the "Heavy" forwarder is simply a regular instance of Splunk that has forwarding enabled... to add some more info a "Light" forwarder is a regular instance of Splunk that has some features disabled such as Splunkweb and indexing. And "Universal" forwarder is a completely stripped down instance of Splunk with no webUI, no python etc. Unfortunately as the docs say unless you simply want to filter on the metadata of host/source/sourcetype, you can not use a light or universal forwarder (i.e. for your event filtering).
Well i didn't see this page, thanks.
But i want to do this on a UniversalSplunkFowarder, not a heavy fowarder which is i guess a physical splunk appliance, correct ?