Hello Giuseppe,
thank you for your prompt reply.
I have re-arranged my props.conf file after reading your reply and also re-configured the transforms.conf file.
Here'show my props.conf file looks now:
[waf_log]
pulldown_type = true
MAX_TIMESTAMP_LOOKAHEAD = 32
SHOULD_LINEMERGE = False
TRANSFORMS-null = waf_include,waf_exclude,waf_include_xapi,waf_drop_x
LEARN_SOURCETYPE = false
TZ = GMT
Transforms.conf looks like this:
[waf_include]
DEST_KEY = queue
FORMAT = indexQueue
REGEX = .*
[waf_exclude]
DEST_KEY = queue
FORMAT = nullQueue
REGEX = .*\.(tif|mp3|jpg|js|css|java|Ico|waf|png|gif|svg|jpeg|avi|mid|midi|mpg|mpeg|mov|qt|png|ram|rar|tiff|txt|wav|zip|TIF|MP3|CSS|JAVA|ICO|WAF|PNG|SVG|AVI|CSS|EXE|GIF|JPG|JS|JPEG|MID|MIDI|MPG|MPEG|MOV|QT|PNG|RAM|RAR|TIFF|TXT|WAV|ZIP).*
[waf_include_xapi]
DEST_KEY = queue
FORMAT = indexQueue
REGEX = blah-blah
[waf_drop_x]
DEST_KEY = queue
FORMAT = nullQueue
REGEX = blahblah
My props.conf and transforms.conf files are on the Splunk manager, I thought that would be the reasonable place to have them.
I also discovered that by https://splunk-fqdn/en-US/debug/refresh I could refresh the all the .conf files. Do I definitely need to restart Splunk based on the new changes I have just made?
And lastly I have fixed the Regex to pick up whole urls on that domain, it's picking up everything I needs in the test I have done. also the extensions have been fixed I was in a rush to get the question out to the world..thank you!
What do you think of this now?
... View more