cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
becarimi
New Member
Member since: ‎08-28-2015
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-28-2015
Topics I've Started
No posts to display.
View All

Re: How to configure props.conf and transforms.con...

by in Splunk Search
‎08-28-2015 04:47 AM
‎08-28-2015 04:47 AM
I'm trying to do the same but I do not get the expected result. I receive syslog messages by upd: 514, I want to do is to filter syslog messages with a particular word and discard the rest messages. The settings of my props.conf is this: [syslog] pulldown_type = true maxdist = 3 TIME_FORMAT =% b% d% H:% M:% S MAX_TIMESTAMP_LOOKAHEAD = 32 TRANSFORMS = syslog-host REPORT-syslog = syslog-extractions SHOULD_LINEMERGE = False TRANSFORMS-set = otroindex,todos #TRANSFORMS-null = otroindex,todos Transform.conf the configuration of this file is: [otroindex] REGEX = miguel DEST_KEY = _MetaData: Index FORMAT = test WRITE_META = true [todos] REGEX = . DEST_KEY = queue FORMAT = nullQueue But not quite work, if in the fields: DEST_KEY = queue FORMAT = nullQueue I do not receive any data. But if I write the following works properly: REGEX = <keyword that you want> DEST_KEY = _MetaData: Index FORMAT = <index you want> WRITE_META = true How can I do to filter syslog messages I want and discard the other messages(dont save) ?? ,I'm trying to do the same but I do not get the expected result. I receive syslog messages by upd: 514, I want to do is to filter syslog messages with a particular word and discard the rest messages. The settings of my props.conf is this: [syslog] pulldown_type = true maxdist = 3 TIME_FORMAT =% b% d% H:% M:% S MAX_TIMESTAMP_LOOKAHEAD = 32 TRANSFORMS = syslog-host REPORT-syslog = syslog-extractions SHOULD_LINEMERGE = False TRANSFORMS-set = otroindex,todos #TRANSFORMS-null = otroindex,todos Transform.conf the configuration of this file is: [otroindex] REGEX = miguel DEST_KEY = _MetaData: Index FORMAT = test WRITE_META = true [todos] REGEX = . DEST_KEY = queue FORMAT = nullQueue But not quite work, if in the fields: DEST_KEY = queue FORMAT = nullQueue I do not receive any data. But if I write the following works properly: REGEX = <keyword that you want> DEST_KEY = _MetaData: Index FORMAT = <index you want> WRITE_META = true How can I do to filter syslog messages I want and discard the other messages(dont save) ?? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM