Hi all,
I am trying to filter events that are coming from several splunk universal forwarders.
I have set a splunk server that gets all the logs from the universal forwarders, filter them and then sends them to the splunk index server.
I have read https://docs.splunk.com/Documentation/Splunk/7.1.3/Forwarding/Routeandfilterdatad
I want to keep only the events that continues the words error or fetch and discard the rest.
So i created props.conf, transforms.conf, outputs.conf in the path $SPLUNK_HOME/etc/system/local.
props.conf
[app_logs]
TRANSFORMS-set=appjunk, appfetch
transforms.conf
[appjunk]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[appfetch]
REGEX = fetch error
DEST_KEY = _TCP_ROUTING
FORMAT = mainindx
outputs.conf
[tcpout:mainindx]
server=10.158.0.6:9997
I have configured the splunk index server to receive info in port 9997, and also the splunk heavy forwarder can receive info in this port.
I have tried to configure the splunk heavy forwarder in this way and it wont work and i tried also to change the order of the TRANSFORMS-set command and transforms.conf and it still won't work.
Thank you in advance
↧