I'm using splunk enterprise on a local windows based system.
I have a file reader configured to watch a directory where I dump logs and folders of logs.
c:\logs\*\*.log
All folders and files that end in ".log"
There is a specific event that is typically in my .log files and they always start with 30 and 32. I'd like to filter this out and I've tried everything I can think of.
I even copied this type of setup, but I can't seem to get it working:
Section: "Discard specific events and keep the rest"
http://docs.splunk.com/Documentation/Splunk/6.2.2/Forwarding/Routeandfilterdatad
Used this for a reference for windows file paths:
http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Specifyinputpathswithwildcards
in the etc\system\local
props.conf
[source::....log]
TRANSFORMS-null= setnull
Also tried [source:://....log]
Also tried [monitor:://....log]
Also tried [monitor::....log]
transforms.conf
[setnull]
regex = ^3[02]
DEST_KEY = queue
FORMAT = nullQueue
After making changes, I restart splunk and send some test data, every time, my unwanted events that start with 30 and 32 still show up. Any help would be great, I'm pretty sure my regex is right, but I don't have any idea if the rest is.
Thanks,
Grant
... View more