On my universal forwarder, I have a repeated entry in my cron.log file that I would like to discard. However, I am not very familiar with regex terms. The entry in the cron.log is:
hostname CROND[27158]: (root) CMD (/bin/sh /etc/init.d/swiagentd swrestart > /dev/null 2&>1)
I have followed the instructions at:
https://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest
and I am using the following:
props.conf
[source::/var/log/cron]
TRANSFORMS-null= setnull
transforms.conf
[setnull]
REGEX = swrestart
DEST_KEY = queue
FORMAT = nullQueue
I have restarted but I am still getting the message in my search. Do I have the correct regex? And is there a specific place in each .conf file that I should put the stanzas?
↧