Hi Team,
We want to drop events which contain the keyword "error"
Below is our setup:
universal forwarder ------>Heavy weight forwarder -------->indexer/cloud
We have multiple universal forwarders which are sending logs directly to indexers. We want to filter these logs via heavy weight forwarders, so we are sending logs from the universal forwarders to a heavy weight forwarder.
Can filtering be achieved by our setup?
Below are the configs we created for filtering events, but it's not working:
My props.conf on heavy weight forwarder:
[sourcetypename]
TRANSFORMS-set= setnull,setparsing
transforms.conf on heavy weight forwarder:
[setnull]
REGEX =error
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
Am I missing something?
Do I need to mention something like tcp_routing etc as logs are forwarded by the universal forwarder to heavy weight forwarder?
Please advise
↧