My Heavy Forwarder forwards data to the indexer fine, however, I wanted to filter out some events before being forwarded using props.conf and transforms.conf, but the indexer still receives everything.
props.conf:
[source::/var/log/vsftpd.log]
TRANSFORMS-null = setnull
transforms.conf:
[setnull]
REGEX = 220
DEST_KEY = queue
FORMAT = nullQueue
for testing, I just simplified the REGEX to filter out all events containing "220"
I even tried `REGEX = .` (to filter out everything) but still had no effect.
What am I missing?
I'm using Splunk 6.2.5 BTW.
↧
