About jeff1

jeff1 · ‎04-06-2022

hi @gcusello , I do have both indexer and heavy forwarder in my testing environment, may I ask if you mean all index-time operation conf. file is better put in Indexer or Heavy Forwarder? As both of my conf. files mentioned above are put under the path of /etc/apps in Search Head. Here are some of my logs: type=USER_END msg=audit(xxxxxxxxxxxx) source = /var/log/audit/audit.log <- log to keep type=CRED_DISP msg=audit(xxxxxxxxxx) source = /var/log/audit/audit.log <-log to eliminate I am trying to eliminate all logs other than (type=USER_*), where [type] is the interesting field. Sorry for the messy elaboration.

jeff1 · ‎04-06-2022

hi @PickleRick , I put those configuration in a file called local and place it under /opt/splunk/etc/apps directory. For the second question, I am sorry I did not understand it.

jeff1 · ‎04-06-2022

hi @gcusello , I want to discard events that contain specific values in a field in index-time.

jeff1 · ‎04-05-2022

I am trying to write an add-on to eliminate some values in a specific field by plugging in a file containing props.conf and transforms.conf into the splunk/etc/apps directory but failed to get any result. Please give me some advice, my configuration files are as follows: props.conf: [source: path to the log file] TRANSFORMS-elim= elimValue transforms.conf: [elimValue] REGEX=^(type=[A-T]+) DEST_KEY=queue FORMAT=nullQueue Grateful for any help, thanks.

Posts	4
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎04-04-2022

Online Status	Offline
Date Last Visited	‎04-06-2022 06:53 AM

How to Eliminate some values in specific field?

Re: Eliminate some values in specific field

Re: Eliminate some values in specific field

Re: Eliminate some values in specific field

How to Eliminate some values in specific field?