I want to prevent DEBUG logging from bieng indexed by the splunk indexers. we use light weight forwarders on both linux and window boxes, hte indexer is in a linux box.
so here is what I tried. the two files below are in the indexers since we use a light weight forwarder
1- create propes.conf in %SPLUNK_HOME%/etc/system/local/props.conf
[source::....log(.\d+)?] TRANSFORMS-debug_log = debug_log_transform
2- create transforms.conf in %SPLUNK_HOME/etc/system/local/transforms.conf
[debug_log_transform] REGEX = \d+\.\d+\.\d+\s\d+\.\d+\.\d+\.\d+\sDEBUG(.*)$ DEST_KEY = queue FORMAT = nullQueue
doing the above in splunk indexer is not working for me, am I doing some thing wrong here?
the sample logs I need to exclude is:
2011-02-11 23:04:05,448 DEBUG [com.nphase.magicbus.autobinding.cxf.transport.incantation.IncantationConduit] - ...done
It's difficult to read with the formatting of your question, but off-hand, it looks like there are a couple issues that might cause your transform to fail:
P.S. You might want to edit your question and highlight your "code" sections that aren't formatting properly and click the "101010" button on the editor bar.
This will work for sure, unless you have a typo or configuration issue. Just copy-and-paste these:
[source::....log...] TRANSFORMS-debug_log = debug_log_transform
[debug_log_transform] REGEX=DEBUG\s\[ DEST_KEY = queue FORMAT = nullQueue
I tried this in the lab and it works for me, using the log entry you posted. This will work for any file whose filename contains .log anywhere in the path/filename, unless you have another props.conf/transforms.conf that is overriding these settings.