Hello,
is it possible to filter events based on sourcetype + (host OR sourcetype) with props.conf/transforms.conf on indexers?
Filtering data only based on sourcetype or source could be too wide.
Thanks.
Hi @realsplunk,
to filter events you have to identify a large information (e.g. sourcetype or host or source), then you have to find a regex to filter logs related to the above information.
You cannot use two of the above infos (e.g. sourcetype+host)
E.g.: sourcetype=WinEventLog:Security and regex = EventCode=1234
in props.conf
[wineventlog:security]
TRANSFORMS-null= setnull
in transforms.conf
[setnull]
REGEX = EventCode\=1234
DEST_KEY = queue
FORMAT = nullQueue
For more infos see at https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Routeandfilterdatad
Ciao.
Giuseppe
Whitelist or blacklist specific incoming data
How's this?
Thanks, do you have an example based on a string?
No, I don't have. sorry.