Hi,
I using the external data source named: firewall and I want to ignore the data
"Apr 2 16:06:15 firewall device_id=abcde1234 [Root]system-critical-00033: Src IP session limit! From a.b.c.d to i.j.k.l, proto 1 (zone Trust int ethernet0/3). Occurred 2 times. (2013-04-02 16:06:14)"
which content "From a.b.c.d"
I tried to config "props.conf"
[source::firewall]
TRANSFORMS-null = setnull
[setnull]
REGEX = From\sa.b.c.d
DEST_KEY = queue
FORMAT = nullQueue
But is shown the warning "
Possible typo in stanza [setnull] in /opt/splunk/etc/system/local/props.conf, line 5: REGEX = From\sa.b.c.d
Possible typo in stanza [setnull] in /opt/splunk/etc/system/local/props.conf, line 6: DEST_KEY = queue"
Possible typo in stanza [setnull] in /opt/splunk/etc/system/local/props.conf, line 7: FORMAT = nullQueue
Is it how I modify to correct config? Thanks in advance.
Thanks. That is missing to creating tranforms.conf
The setnull transform should go into transforms.conf, not props.conf. Read the docs, here: http://docs.splunk.com/Documentation/Splunk/5.0.2/Deploy/Routeandfilterdatad#Discard_specific_events...