I have a universal forwarder monitoring log files that contain the line
INFO [2015/10/13 10:50:00.193] C93| Closing call logging file D:\RT\CDR\C093.2015-10-13#10-45.csv.
I obviously want to filter these lines so that they are not indexed and included in my indexed volume. I have the following set up in the props.conf
[default]
TRANSFORMS-RT-Kernel-17-40-26-3 = filter-call-closing
And the following in transforms.conf
[filter-call-closing]
REGEX = "Closing call logging file"
DEST_KEY = queue
FORMAT = nullQueue
However these events are still being indexed. Do I have to use a different method of filtering from a forwarder
↧