i need to implement a regex to filter contents of logs of vmware infrastructure.
The only logs I want to receive and index in Splunk will have to be:
Mar 25 10:36:45 172.20.1.9 2015-03-25T09:36:31.014Z IBM-ESXi-5.aditinet.local Hostd: [FFB37920 info 'Vimsvc.ha-eventmgr' opID=B6CBCB83-00000031 user=DOMAIN\test.test] Event 2459 : User DOMAIN\firstname.lastname@example.org logged out (login time: Wednesday, 25 March, 2015 09:35:59, number of API invocations: 0, user agent: VMware VI Client/4.0.0)
I want to filter only word: "login time".
These are my props.conf and transform.conf located in path /opt/splunk/etc/system/local: