Hi,
I am trying to filter the events using LOGIN keyword and drop remaining events. I am trying with the below configuration and it is not working. Any suggestions please?
props.conf
[test_sourcetype]
TRANSFORMS-sample = test_authlog,setnull_test
transforms.conf
[test_authlog]
REGEX = (LOGIN)
DEST_KEY = queue
FORMAT = indexQueue
[setnull_test]
REGEX = (?!LOGIN)
DEST_KEY = queue
FORMAT = nullQueue