Looking to get the correct regex statement for my transforms.conf to select both the "(vert.x-eventloop-thread-4)" and the "Request is valid" strings. If these both exist on that same line, I do not want to ingest that line into Splunk.
And what if I want to also exclude other lines of logs that contain other text strings? Like to also exclude rows with "validating the required header fields"?
Can I combine multiple regex lines into one? Not sure how that works.
Example Log:
2017-05-25 23:22:31,422 INFO **(vert.x-eventloop-thread-4)** ?.: TID: b47d618c-a5fc-4d41-a7a2-b1c0fae15dc0 - **Request is valid**
2017-05-25 23:22:31,419 INFO **(vert.x-eventloop-thread-4)** ?.: TID: b47d618c-a5fc-4d41-a7a2-b1c0fae15dc0 - **validating the required header fields**
Thinking I got the rest...
Props.conf
[default]
TRANSFORMS-null= setnull
Transforms.conf
[setnull]
REGEX = ???HELP???
DEST_KEY = queue
FORMAT = nullQueue
↧