We have a condition where we need to filter out data based on the byte count in the log. We have collapsed the source and sourcetype names coming from different servers and we need to be specific based on the index name.
Instead of:
props.conf
[source::///var/log/paloalto/palo.log]
TRANSFORMS-null = setnull
Can we use for the props.conf configuration:
[index::plvpalo]
TRANSFORMS-null = setnull
Or
[source::///var/log/paloalto/palo.log]
index = plvpalo
TRANSFORMS-null = setnull
↧