Hope everyone is keeping safe.
I'm following this document https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad (Discard specific events and keep the rest)
The first app is working as expected, however when I've created a second app the filtering is not working
Both apps send data to same index, but the apps are on different servers and different logs. we are using Universal Forwarders
App1
[ ~/etc/deployment-apps/app1/local] $ cat props.conf
[uLinga]
TRANSFORMS-set= setnull,setparsing
[ ~/etc/deployment-apps/app1/local] $ cat transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = INFRASFT
DEST_KEY = queue
FORMAT = indexQueue
App2
[ ~/etc/deployment-apps/app2/local] $ cat props.conf
[Aux]
TRANSFORMS-set = setnull,setparsing
[ ~/etc/deployment-apps/app2/local] $ cat transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = INFO|ERROR|WARN
DEST_KEY = queue
FORMAT = indexQueue
Thank you
↧