I have a Heavy Forwarder installed which sends the logs to Splunk Cloud. Here's the workflow, please shed some light on this....
UFs-----> HWF ----->Splunk clould indexers
-data is flowing into the cloud and searchable, but when I tried to place some filtering on the HWF using props.conf and transforms.conf, it's not filtering.
-I want to drop the events which contain keyword POST...
Here're the configs I have used...
HWF=========
outputs.conf
indexAndFoward = false (not sure if I have to make it true for filtering and i don't want to index data locally/ filtering didn't work though even when it's true)
props.conf
[source::/path/to/my/apache/logs/access*.log] or I also tried with sourcetype in here [apache_access]
TRANSFORMS-null = filter_diagnose, filter_scalars
transforms.conf
[filter_diagnose]
REGEX =`\"POST\s\/.*diagnoseMonitor`
DEST_KEY = queue
FORMAT = nullQueue
[filter_scalar]
REGEX = `\"POST\`s\/.*`Scalar.html
DEST_KEY = queue
FORMAT = nullQueue
=====================================================================
I have also tried this way using key words to filter.
props.conf
[source::/path/to/my/apache/logs/access*.log] or I also tried with sourcetype in here [apache_access]
TRANSFORMS-set= setnull, setparsing
transforms.conf
[setnull]
REGEX = POST
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
↧