I'm trying to use a regex in a transforms.conf file on the Indexer to prevent indexing of informational and debug messages in specific files. The messages are in this format:
2018-11-30 13:10:55,474 INFO blah blah blah
2018-11-30 13:10:55,474 DEBUG blah blah blah
There are three Indexers in our environment. I have this coded in the props.conf files on the Indexers:
[source::...*(plain|debug|startup).log*]
TRANSFORMS-null12 = setnull12
... and this in the transforms.conf files:
[setnull12]
REGEX = ^\d+-\d+-\d+\s+\d+:\d+:\d+,*\d+\s+([a-zA-Z0-9]+\s+)?(INFO|DEBUG)\s+.*
DEST_KEY = queue
FORMAT = nullQueue
The undesirable messages are no longer getting indexed by two of the Indexers, but they are still getting indexed on the third Indexer.
I've used btool to compare props.conf and transforms.conf files on all three Indexers. There are no differences in transforms.conf files and only inconsequential differences in props.conf files ("pulldown_type = true" set for some sourcetypes for two of the three Indexers, and some unrelated learned sourcetypes defined on one of the Indexers where the rules are working).
Does anyone have any ideas of what might be wrong or how I might go about troubleshooting this? I realize it's impossible for anyone to say for sure without a complete picture of our configuration files, but any ideas would be appreciated.
↧
Why is my regex in transforms.conf for source in props.conf not working for one of three Indexers?
↧