What are the configurations required to forward specific log messages to Splunk.
Every log message that contains "ScanStatistics" this phrase needs to get forwarded to Splunk.
Let us know what are the configurations to be done.
Hi @ssoftility,
some additional information, please:
In few words, I need to understand:
because:
Ciao.
Giuseppe
Hi ,Please find the answers below.
2021-10-28 01:31:47,535 - cm_scan_statistics.cm_scan_statistics - INFO - c0:a0:0d:06:5b:c7 - CmScanStatistics. CM(c0:a0:0d:06:5b:c7) fbc.status=SUCCESS
2021-10-28 01:31:47,535 - cm_scan_statistics.cm_scan_statistics - INFO - c0:a0:0d:06:5b:c7 - CmScanStatistics: updating cm(c0:a0:0d:06:5b:c7) for ['metadata.scans.success', 'metadata.scans.lastupdate', 'metadata.scans.lastevent']
In few words, I need to understand:
because:
Hi @ssoftility,
if you want to filter your logs before indexing, you surely use less license for these logs but you have less logs for your searches: you cannot use the discarded logs.
Anyway, with the only exception of WindEventLogs, logs can be filtered only on indexers or (when present) on heavy Forwarders.
To do this, you have to follow the instructions at https://docs.splunk.com/Documentation/Splunk/8.2.3/Forwarding/Routeandfilterdatad#Keep_specific_even...
in few word, on you Indexers you have to create a props.conf file containing:
[your_sourcetype]
TRANSFORMS-set= setnull,setparsing
and a trandforms.conf like this:
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = CmScanStatistics
DEST_KEY = queue
FORMAT = indexQueue
In this way you discard all logs except the ones containing "CmScanStatistics".
Remember to restart Splunk if you manually modify files.
Ciao.
Giuseppe