We have a Universal Forwarder that is sending a huge amount of data. We need to only index events that contain any of these words-- "EnvisionResponse" or "EnvisionRequest" or "TransactionStatusDetail".
The "EnvisionRequest" event is multiple lines so I need all the lines for the event:
here is an example
2017-02-23 12:00:02,982 INFO (http-139.61.194.230-8380-24) EnvisionRequest version="1"
referenceNbr 869dc644e461b01
messageType P
Our Splunk Indexer is version 6.1
Can this be done in the props.conf and transforms.conf on the Indexer without adding to the daily license volume?
↧