I am not good at regex, so I need help filtering some IPs from being indexed.
raw event looks like this:
192.168.184.25 - - [26/Jan/2018:10:46:06 -0500] "HEAD / HTTP/1.0" 302 0 "-" "avi/1.0" "-"
192.168.184.26 - - [26/Jan/2018:10:46:06 -0500] "HEAD / HTTP/1.0" 302 0 "-" "avi/1.0" "-"
I also have data in the dataset coming from 23.99., so I want to exclude all data from the 23.99. range.
I was trying the following in transforms.conf on my Heavy Forwarder, but the events are still coming in. note - I just started with the 192.168.184.25
transforms.conf
[setnull]
REGEX = \,192\.168\.184\.25\,
DEST_KEY = queue
FORMAT = nullQueue
props.conf
[source::/var/log/nginx/access.log]
TRANSFORMS-null= setnull
try this
[setnull]
REGEX = 192\.168\.184\.25
DEST_KEY = queue
FORMAT = nullQueue
[source::/var/log/nginx/access.log]
TRANSFORMS-null = setnull
let me know if this helps!
try this
[setnull]
REGEX = 192\.168\.184\.25
DEST_KEY = queue
FORMAT = nullQueue
[source::/var/log/nginx/access.log]
TRANSFORMS-null = setnull
let me know if this helps!
This worked. If I wanted to exclude 192.168.184.25 and 192.168.184.26, could I do it with one statement?
I tired 192.168.184.* and this did not work.
Try this
192\.168\.184\.(25|26)