I apologize if this is a very obvious question, but I'm completely lost.
A project I am working on is to filter the logs coming in so they are never indexed in the first place. Using a question here, I was able to make these props.conf and tranforms.conf files:
#props
[sourcetype]
TRANSFORMS-set=setnull,setparsing
#transforms
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = regex_to_match_at_front_(code1|code2|code3)
DSET_KEY = queue
FORMAT = indexQueue
Here is the question I got this from:
[https://answers.splunk.com/answers/185495/how-to-configure-propsconf-and-transformsconf-to-s-1.html][1]
Now I need to test this. Sonce I have to do this via Splunk Web, I'm trying to set up these options in a new sourcetype, via the advanced options. I know I can set up a sourcetype to properly parse the events, but whenever I some of the code as new settings, Splunk automatically deletes them (as with TRANSFORMS-set=setnull,setparsing) or replaces them (I obviously cannot have two REGEX). Basically, is it even possible to set this up in Splunk Web? If so, can you link me to the relevant documentation. I don't have access to the backend, so I need to decide how to proceed.
Thank you.
P.S. If anyone has another way of whitelisting events, I'd like to hear about it.
[1]: http://how-to-configure-propsconf-and-transformsconf-to-s-1.html
↧
