Hi all,
I am trying to filter events that are coming from several Splunk universal forwarders.
I have set a Splunk server that gets all the logs from the universal forwarders, filters them, and then sends them to the Splunk index server.
I have read [https://docs.splunk.com/Documentation/Splunk/7.1.3/Forwarding/Routeandfilterdatad][1]
I want to keep only the events that continue the words error or fetch and discard the rest.
So, I created props.conf, transforms.conf and outputs.conf in the path $SPLUNK_HOME/etc/system/local.
props.conf
[app_logs]
TRANSFORMS-set=appjunk, appfetch
transforms.conf
[appjunk]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[appfetch]
REGEX = fetch error
DEST_KEY = _TCP_ROUTING
FORMAT = mainindx
outputs.conf
[tcpout:mainindx]
server=10.158.0.6:9997
I have configured the Splunk index server to receive info in port 9997, and also, the Splunk heavy forwarder can receive info in this port.
I have tried to configure the Splunk heavy forwarder in this way, and it won't work, and I tried also to change the order of the TRANSFORMS-set command and transforms.conf and it still won't work.
Thank you in advance
[1]: https://docs.splunk.com/Documentation/Splunk/7.1.3/Forwarding/Routeandfilterdatad
↧