Hi,
I've a full forwarder on machine A pointing at some log files in c:\temp*.log. These are being forwared to the full splunk install on machine B. I only want send the lines in the log files on machine A that contain the string [1:] or a [2:] to the splunk indexer from the forwarder on Machine B.
My \etc\apps\search\local\inputs.conf file looks like:
[monitor://c:\temp\log\*.log]
disabled = false
My \etc\apps\search\local\props.conf file looks like:
[splunkd]
EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P<log_level>[^ ]*)\s+(?P<component>[^ ]+) - (?P<message>.+)
[splunk_web_service]
EXTRACT-useragent = userAgent=(?P<browser>[^ (]+)
[source:c:\temp\log\...]
TRANSFORMS-dp = setTypeOne, setTypeTwo
My \etc\apps\search\local\transforms.conf looks like:
# Version 6.0.2
[setTypeOne]
DEST_KEY = MetaData:Sourcetype
REGEX = \[1:1\]
FORMAT = sourcetype::dp
[setTypeTwo]
DEST_KEY = MetaData:Sourcetype
REGEX = \[1:2\]
FORMAT = sourcetype::dp
The problem are:
No lines are being filtered out - the
web app is showing all the lines in
the file
The sourcetype dp is not being created
Any pointers would be gratefully received.
Thanks in advance.
... View more