Hi, I'm trying to remove part of my watchguard logs from splunk that just report session timeouts. Here is what I'm trying:
Props.conf
[watchguard]
TRANSFORMS-watchguard = remove-session-timeout
Transforms.conf
[remove-session-timeout]
REGEX=^[^\)\n]*\)\s+(?P\w+\[\d+\]:\s+\w+\s+\w+\s+\w+:)
DEST_KEY = queue
FORMAT = nullQueue
I'm doing a general search via index="watchguard" and still seeing the idle timout logs. Do I need specific nomanclature for this to work correctly? I'm assuming I can call the props.conf [ ] any name i want. Also should I be opening and closing with code /code?
Thanks.
↧