I'm trying to get a multi-line log4j event sent to the nullQueue on a Regular forwarder. Here is my inputs/props/transforms.conf:
[monitor:///opt/ShoppingSite/work/logs/tomcat.log] disabled = false followTail = 1 sourcetype = log4j [source::///opt/ShoppingSite/work/logs/tomcat.log] TRANSFORMS-filtercrap = cleantomcat [cleantomcat] REGEX = (?m).+getResponseEntity\nINFO:\s+The\slength\sof\sthe\smessage\sbody\sis\sunknown.+ DEST_KEY = queue FORMAT = nullQueue
This is the event from my tomcat log I need filtered:
Nov 24, 2010 12:51:18 PM com.noelios.restlet.http.HttpClientCall getResponseEntity INFO: The length of the message body is unknown. The entity must be handled carefully and consumed entirely in order to surely release the connection.
I've checked my regex using KiKi (Linux regex utility). Anyone have any thoughts? These events are still showing up when I search on my search head.