I'm trying to discard entries from one of my data sources and it isn't working. Why?
All the following are set on the indexer, not the universal forwarder. I've triple checked my work.
**inputs.conf**
[WinNetMon://inbound]
direction = inbound;outbound
disabled = 0
index = windows
packetType = accept;connect
**props.conf**
[WinNetMon://inbound]
TRANSFORMS-null1 = null1
**transforms.conf**
[null1]
SOURCE_KEY = LocalAddress
REGEX = ::1
DEST_KEY = queue
FORMAT = nullQueue
The events I'm getting are `source=inbound` and `sourcetype=WinNetMon`
↧