Hello, so I understand that my props.conf and transforms.conf (below) in theory allow me to filter out the events that match the regex specified.
props.conf
[filter_out_auth_logs]
TRANSFORMS-tonull = filter_out_word
transforms.conf
[filter_out_word]
REGEX = WORD\[.*?\]:
DEST_KEY = queue
FORMAT = nullQueue
What I am unsure of, is how I ensure this filter is only applied to a specific input?
For example, if I have the following entries in the input.config file, where do I specify that I want the input that sends logs to myindex1 to make use of the filtering specified in props and transforms configs?:
[monitor:///var/log/syslog]
index = myindex1
sourcetype = syslog
.
[monitor:///var/log/syslog.log]
index = myindex2
sourcetype = syslog
↧