How to filter event on splunk heavy forwarder?

anapat · ‎05-20-2011

I setup splunk heavy forwarder and splunk indexer.

I want to filter some event before indexed on splunk indexer.

*** Example log, i want to filter

2011-02-05 00:02:00,018 INFO [Cron_SendFaxNTF] - <BEGIN Send Notification Fax...>
2011-02-05 00:02:00,034 INFO [Cron_SendFaxNTF] - <BEGIN Send Notifications...>

I try to config both indexer and forwarder but not work!!!

*** props.conf

[iCIS_log]
TRANSFORMS-icisLog = icisLog-null

*** transforms.conf

[icisLog-null]
REGEX = ^\d+-\d+-\d+\s\d+:\d+:\d+,\d+\sINFO.*
DEST_KEY = queue
FORMAT = nullQueue

Help me please !!!!

ftk · ‎05-20-2011

In your inputs.conf, do you have your monitor set to the correct sourcetype (iCIS_log)?

Possibly tune your REGEX as such: ^\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2},\d{3}\s+INFO

anapat · ‎05-21-2011

Yes, I monitor sourcetype "iCIS log" and try to config both indexer and forwarder

I'll test with your regex. And i'll update result later.