Hi, I am using Splunk 6.5.
How can I exclude lines containing a pattern from being indexed? In my case I have IIS access logs forwarded by a Universal Forwarder. I have tried to configure like this, but log lines that contains bigip is still indexed.
system/default/props.conf
[iis]
INDEXED_EXTRACTIONS = w3c
system/local/props.conf
[iis]
TRANSFORMS-null=ignorebigip
system/local/transforms.conf
[ignorebigip]
REGEX = (?m)^.(bigip)\s.$
DEST_KEY = queue
FORMAT = nullQueue
If I understand this answer https://answers.splunk.com/answers/453417/parse-iis-logs-structured-data-on-universal-forwar.html , it is not possible to send to the nullQueue when the "standard" [iis] sourcetype with INDEXED_EXTRACTIONS = w3c.
Is that true, do I really have to configure how to extract the fields the "pre-Splunk 6"-way?
... View more