Not able to exclude events from indexing on Splunk Enterprise Free version. Can anyone help me out here?
Sample data:
Name:mango
Name:Mango
Name:ManGo
Name:apple
Name:banana
Name:strawberry
Name:pineapple
props.conf
[txt1]
DATETIME_CONFIG = CURRENT
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
pulldown_type = true
TRANSFORMS-set= setnull
transforms.conf
[setnull]
REGEX = mango
DEST_KEY = queue
FORMAT = nullQueue
↧
Why am I not able to exclude events from getting indexed with my current props and transforms.conf?
↧