All,
I have a 3 part TRANSFORMS.conf in my props.conf, when enable I receive no logging at all. How ever I am not seeing why.
Log Example -
{"Timestamp":"2019-08-20T23:07:27.8115577+00:00","Level":"FATAL","MessageTemplate":"TEST","Properties":{"MachineName":"something","LogType":"ScheduledTasks","App":"ScheduledTasks","Environment":"13"}
Here is my transforms -
# transforms.conf
# By default collect nothing
[nulldefault]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
# Let go ahead and keep Error|Crit|fatal and others
# Also if the dev mentions "splunk" in their log we'll keep it
[keep]
REGEX=((?i)error|crit|fatal|splunk|ora-|INFO)
DEST_KEY=queue
FORMAT=indexQueue
# even with that there is some common garbage
[final]
REGEX=app_name=SolrCloud
DEST_KEY=queue
FORMAT=nullQueue
Not seeing why this would drop all logs.
Did you mention your index name in the inputs.conf, else add this in your transforms.conf and see if it works?
transforms.conf
[keep_index]
REGEX=((?i)error|crit|fatal|splunk|ora-|INFO)
DEST_KEY=_MetaData:Index
FORMAT=<your index name>
props.comf
TRANSFORMS-set = nulldefault,keep,keep_index