I am setting up heavy forwarder on multiple machine, out of that one of them have below requirement,
1) Heavy forwarder should forward sub-set of events which match with given pattern and not all the events.
I search over web, I found couple of Q&A regarding the same but it’s seem not working for me.
First solutions I tried:
On the above solution, I can see in forwarder log, it’s continuously saying could not connect with 0.0.0.0:0 and connection failing but nothing is getting forwarded at Indexer side.
I tried with forwarding everything into NullQueue and forward only event which match with REGX by setting up two stanza into transforms.conf.
Seems that above solution also does not work for me.
Pattern which I want to match is following,
oauth.googleusercontent.com, ssl.gstatic.com, fb.com, twitter.com
Heavy forwarder should only send events to indexer if events matched with any of the above patterns.
Please let me know, if you have any question regarding the same.
I have already spend one full day in exploring above but could not find solution.
Sorry to raise this question in that manner but i feel very sad after investigating over a day and could not find solution, Below are the configuration i am suing at my heavy forwarder side.
TRANSFORMS-set =setnull, allowtheseevents
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
REGEX = (?m)ssl.gstatic.com
FORMAT = splunkindexer_9997
index = main
sourcetype = filtersplunkproxy
blacklist = .gz
defaultGroup = splunkindexer_9997
server = :9997
Please correct me if I am doing something wrong here.
... View more