I've read the docs on how to filter events from:
http://docs.splunk.com/Documentation/Splunk/4.3.3/Deploy/Routeandfilterdatad
The documentation makes mention that somethings the light and "Universal forwarder" cannot do... is this one of those things? If so where DO you filter this to keep from getting it into the DB?
The log lines with "ipmon" text still are sent. The universal forwarder is running on a solaris 10 host.
My configuration is:
/opt/splunkforwarder/etc/apps/search/local/inputs.conf
[monitor:///var/log/local0/debug]
disabled = false
## filter ipmon logs out of forwarded logs
sourcetype = local0_syslog
queue = parsingQueue
/opt/splunkforwarder/etc/system/local/props.conf
[local0_syslog]
TRANSFORMS-null= setnull_ipmon
/opt/splunkforwarder/etc/system/local/transform.conf
[setnull_ipmon]
#match anything with ipmon and toss it
REGEX =ipmon
DEST_KEY = queue
FORMAT = nullQueue
↧