Hi
We have a group of servers and looks like they have been reconfigured. Until we get hold of a sysadmin and fix the issue, we have to drop off logs from those servers.
Below is how we tried filtering with no success.
props.conf
[source::udp:514]
TRANSFORMS-bad_log = del_chHosts
transforms.conf
[del_chHosts]
REGEX = ^Host=rccr*
DEST_KEY = queue
FORMAT = nullQueue
We are looking to block off logs from host names starting with rccr. We are wondering if any one could point out what we could be doing wrong here?
We also tried a single host instead of wildcard, but still didn't work, so not sure. We'd appreciate your help.
Note: Logs are first forwarded to syslog server (splunk and syslog server is the same server) and then to Splunk.
Thank you
... View more