I'm trying to get a multi-line log4j event sent to the nullQueue on a Regular forwarder. Here is my inputs/props/transforms.conf:
[monitor:///opt/ShoppingSite/work/logs/tomcat.log]
disabled = false
followTail = 1
sourcetype = log4j
[source::///opt/ShoppingSite/work/logs/tomcat.log]
TRANSFORMS-filtercrap = cleantomcat
[cleantomcat]
REGEX = (?m).+getResponseEntity\nINFO:\s+The\slength\sof\sthe\smessage\sbody\sis\sunknown.+
DEST_KEY = queue
FORMAT = nullQueue
This is the event from my tomcat log I need filtered:
Nov 24, 2010 12:51:18 PM com.noelios.restlet.http.HttpClientCall getResponseEntity
INFO: The length of the message body is unknown. The entity must be handled carefully and consumed entirely in order to surely release the connection.
I've checked my regex using KiKi (Linux regex utility). Anyone have any thoughts? These events are still showing up when I search on my search head.
What happens if you change the props.conf from
[source::///opt/ShoppingSite/work/logs/tomcat.log]
to
[log4j]
and restart the forwarder?
What happens if you change the props.conf from
[source::///opt/ShoppingSite/work/logs/tomcat.log]
to
[log4j]
and restart the forwarder?
source::
clauses should not have the triple slashes ///
at the start, just the /
. The //
is part of inputs monitor syntax.
That seems to work. Why would sourcetype work but not source?