About rkymtnhigh

rkymtnhigh · ‎06-01-2020

Resolved the issue using [source::....log] stanza in props.conf. Thanks everyone for your help.

rkymtnhigh · ‎06-01-2020

[setnull] REGEX = empty logger DEST_KEY = queue FORMAT = nullQueue

rkymtnhigh · ‎06-01-2020

I think my issues lies with my props.conf source.. I am currently using: [source::d:\logs\...\*.log] TRANSFORMS-null = setnull I tried using the sourcetype that shows up when I search these events "SampleSourcetype2" Here is how I have it set: [sourcetype::SampleSourcetype2] TRANSFORMS-null = setnull Then in transforms.conf [setnull] REGEX = empty logger DEST_KEY = queue FORMAT = nullQueue The events with "empty logger" are still being indexed however.

rkymtnhigh · ‎05-29-2020

I have one indexer that is receiving events from a remote Windows host via the Universal Forwarder. I am trying to filter out events that contain the string 'empty logger' in the log file D:\Logs\Test\testlog5_29_20.log file on the remote server. I have attempted to use the props.conf and the transforms.conf files on the indexer to send the events matching the regex to nullqueue, but the events in question are still making it. I am suspecting that the source stanza in the props.conf file isn't correct, as I am specifying a directory that only exists on the remote Windows hosts. Am I correct in that assumption?

Posts	4
Solutions	0
Karma Given	0
Karma Received	1
Member Since	‎05-29-2020

Online Status	Offline
Date Last Visited	‎06-05-2020 02:03 AM

How to filter out specific events sent via Univers...

Re: How to filter out specific events sent via Uni...

Re: How to filter out specific events sent via Uni...

Re: How to filter out specific events sent via Uni...

How to filter out specific events sent via Univers...