Hi,
I'm using a Single Instance of Splunk 6.6.2 and I've tried filtering some events of my log using the code below, but the filter doesn't work. I put this argument **"[\dbus\]"** into regex because I don't want this to be indexed. What's wrong with this?
**inputs.conf:**
[source::/var/log/messages]
disabled = 0
index = main
sourcetype = my_sourcetype
**props.conf:**
[my_sourcetype]
TRANSFORMS-null = setnull
**transforms.conf:**
[setnull]
REGEX = \[dbus\]
DEST_KEY = queue
FORMAT = nullQueue
↧