Hello guys I have the following scenario: I'm receiving a lot of logs from a Kubernetes Clusters I'm sending logs from Kubernetes to a Splunk Heavy Forwarder using Splunk Connect for Kubernetes The sourcetypes names are assigned by Splunk Connect using a structure like this: kube:container:* (example: kube:container:containerNumberOne) I have the following confs in props.conf and transforms.conf files: [(?::){0}kube:*]
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TRANSFORMS-set= setnull, allowEvents, dropEventsByText, dropEventsBySourcetype, set_sourcetype [setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[allowEvents]
REGEX = LOG_INI|LOG_FINOK|LOG_FINEX|LOG_FINNEG
DEST_KEY = queue
FORMAT = indexQueue
[dropEventsBySourcetype]
SOURCE_KEY=MetaData:Sourcetype
REGEX = containerNumberOne|containerNumberTwo
DEST_KEY = queue
FORMAT = nullQueue
[dropEventsByText]
REGEX = debug|DEBUG
DEST_KEY = queue
FORMAT = nullQueue
[set_sourcetype]
SOURCE_KEY=MetaData:Sourcetype
REGEX = kube\:container\:(.*)\-re\-
FORMAT = sourcetype::$1
DEST_KEY = MetaData:Sourcetype These filters (and the sourcetype rename) have been working well for a while and as you may observe, they filter events based on a text contained in the log or by a text in the sourcetypes name. The problem is that I have a new requirement. I need to drop events based on 2 rules at the same time: a sourcetype name and a text in the log. Specifically, there are some logs with the sourcetype name containerFour and the text LOG_INI that I need to drop. I guess I need something like this (but I know te conf is wrong): [dropEventsBySourcetypeAndText]
SOURCE_KEY=MetaData:Sourcetype
REGEX = containerNumberFour
REGEX = BCI_INI
DEST_KEY = queue
FORMAT = nullQueue Does someone know what i need to do? Thanks in advance
... View more