Hi,
I tried props.conf and transforms.conf solution but it did not work.
props.conf
[access_combined]
pulldown_type = true
maxDist = 28
MAX_TIMESTAMP_LOOKAHEAD = 128
REPORT-access = access-extractions
SHOULD_LINEMERGE = False
TIME_PREFIX = \[
TRANSFORMS-set= strip_images_header
transforms.conf
[strip_images_header]
REGEX = *.jpg*
DEST_KEY = queue
FORMAT = nullQueue
But .jpg files are still indexing on access_combined sourcetype logs. What do i do wrong?
Please Help
REGEX = (.jpg|.png|.gif|.xml|.ico|.css|.js)
ok all set thanks friends.
Your regex is syntactically incorrect. You can verify here for instance: http://regexpal.com/
You probably want something like REGEX = \.jpg$
More information about regular expressions: http://www.regular-expressions.info/
Sure, from a regex point of view that's still one expression, only slightly more complex:
REGEX = \.(jpg|png|gif)$
All set thanks for help friends.
Last question is can i write multiple entries in one regexp line?
such as
REGEXP .jpg|.png|.gif
If you're putting this config onto a universal forwarder then nothing's going to happen because the UF doesn't parse the input data. You need to configure this on the indexers or heavy forwarders.
Thanks i find that out and changed it on the forwarder configs but still did not work. Now I try same config on the indexer configs. Waiting for result restart takes time too big. > 50TB.