I know how to blacklist specific event for host or sourcetype. But I couldn't figure out how I can blacklist events fro specific host and sourcetype. Here is my scenario
Hosts: host1, host2
Sourcetype: st1
I want to blacklist specific event (based on regex) for st1 for host host1.
I am using configuration something like this
Transforms.conf
[setnull]
REGEX = .*\s+Debug\s+.*
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
props.conf
[host::host1]
TRANSFORMS-set= setparsing
[host::host*]
TRANSFORMS-nullsourcetype= nullsourcetype
TRANSFORMS-set= setnull
I don't know how to tell what sourcetype to blacklist the events from.
↧