I am trying to filter off ip address on our splunk server based on the source - C:\http server\logs\web-access.log
A sample of the event looks like this:
192.168.1.15 - - [17/Feb/2011:18:13:34 +0800] "GET /" 200 8146
And my configuration:
TRANSFORMS-null = sendnull
REGEX = 192\.168\.1\.15
DEST_KEY = queue
FORMAT = nullQueue
I still see events from 192.168.1.15 coming in.Any idea?
Stanza name in props.conf is incorrect: you've got to prepend it with "source::".
See props.conf spec for more info
[<spec>] * This stanza enables properties for a given <spec>. * A props.conf file can contain multiple stanzas for any number of different <spec>. * Follow this stanza name with any number of the following attribute/value pairs. * If you do not set an attribute for a given <spec>, the default is used. <spec> can be: 1. <sourcetype>, the source type of an event. 2. host::<host>, where <host> is the host for an event. 3. source::<source>, where <source> is the source for an event. [...]
I've also tried to specify this in the stanza name in props.conf:
[source::C:\http server\logs\web-access.log]..but not working..Could it be due to the space between http and server?
also to mention,my splunk server is receiving events from the web server,where splunk is installed as a forwarder and configured to read apache log files locally before forwarding them.
If the instance monitoring the log is not a light-weight forwarder, then all transforms should be done there. In such a case your config will have no effect on the indexer.