I have log file which polls an endpoint and if new version has come then only performs the operation. All the polling (whether new version is available or not ) are logged into log file. I am trying to read this log file which is working fine. But I want to avoid redundant polling logs and send only those logs where new version was found. Can this be done on splunk forwarder using input.conf file?
Search the community for nullQueue. You'll find many examples similar to this:
# props.conf
[foo]
TRANSFORMS-sendToNullQueue = sendToNullQueue
# transforms.conf
[sendToNullQueue]
REGEX = no new data found
DEST_KEY = queue
FORMAT = nullQueue
Your REGEX value should contain a regular expression matching the events you want to exclude.