props.conf
[firewall]
TRANSFORMS-set = setnull,setparsing
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = 192\.168\.1\.1
DEST_KEY = queue
FORMAT = indexQueue
I have a heavy forwarder with the following. What I want to do is only forward events that match the regex to our indexers for indexing and discard the rest. It doesn't matter what put in the REGEX section though nothing comes through even if I look at the logs and see that there are definitely matches.
If I change props.conf to
TRANSFORMS-set = setparsing
I get all events from the logs so that leads me to believe that my DEST_KEY and FORMAT or configured correctly.
Why isn't this filtering events and forwarding to my indexers?
↧