I am trying to create a stanza in props.conf so that all non splunk internal logs go to index=newindex.
I tried using negative lookahead as follow:
[source::^(?!.*log\/*\\*splunk).*$]
But it doesn't work. Thanks.
Instead of using props.conf you can use inputs.conf to route internal logs to other index.
[monitor://$SPLUNK_HOME/var/log/splunk] index = newindex
We cannot change the config at UF.
