Splunk Enterprise

Filtering the events using transforms

vihar254
Loves-to-Learn Lots

Hi,

I am trying to filter the events using LOGIN keyword and drop remaining events. I am trying with the below configuration and it is not working. Any suggestions please?

props.conf

[test_sourcetype]

TRANSFORMS-sample = test_authlog,setnull_test

 

transforms.conf

[test_authlog]

REGEX = (LOGIN)

DEST_KEY = queue

FORMAT = indexQueue

 

[setnull_test]

REGEX = (?!LOGIN)

DEST_KEY = queue

FORMAT = nullQueue

Labels (1)
Tags (1)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!