Hi. I am new to Splunk and I am trying to prevent specific logs to be collected. I have 3 Etehrnet switches and they generate a lot of garbage and I don't want my logs to be filled by unnecessary entries. I already know that I need to create "stuff" inside props.conf and transforms.conf.
In fact, what I want to do is to send to the nullQueue everything that comes from port udp 514 and that contains the word MSGBUILDER inside the _raw field.
Here is what I did:
Props.conf
[source::UDP:514]
TRANSFORMS-set= setnull
Transforms.conf
[setnull]
REGEX= MSGBUILDER
DEST_KEY = queue
FORMAT = nullQueue
There must be something I do not do properly because it doesn't work. Splunk continues to collect these logs instead of excluding them.
Anyone can help?
Thanks.
... View more