Hi,

I want to prevent DEBUG logging from bieng indexed by the splunk indexers. we use light weight forwarders on both linux and window boxes, hte indexer is in a linux box.

so here is what I tried. the two files below are in the indexers since we use a light weight forwarder

1- create propes.conf in %SPLUNK_HOME%/etc/system/local/props.conf

[source::....log(.\d+)?]
TRANSFORMS-debug_log = debug_log_transform

2- create transforms.conf in %SPLUNK_HOME/etc/system/local/transforms.conf

[debug_log_transform]
REGEX = \d+\.\d+\.\d+\s\d+\.\d+\.\d+\.\d+\sDEBUG(.*)$
DEST_KEY = queue
FORMAT = nullQueue

doing the above in splunk indexer is not working for me, am I doing some thing wrong here?

the sample logs I need to exclude is:

2011-02-11 23:04:05,448 DEBUG [com.nphase.magicbus.autobinding.cxf.transport.incantation.IncantationConduit] - ...done

Thanks, Firas