Hi,
I only want to index files containing the string #! in the first 5 characters of the file.
Therefore I created the following inputs.conf:
> [monitor:pathname]> blacklist = (?i:archive|develop|data|backup|\.txt$|\.gz$|\.tar$|\.csv$|\.bck$|\.log$|\.old$|\d{6,})> disabled = false> host = script> index = abcindex> sourcetype = abcscript
Props.conf:
> [abcscript]> TRANSFORMS-set= setnull,setparsing
Transforms.conf:
> [setnull]> REGEX = .> DEST_KEY = queue> FORMAT = nullQueue> [setparsing]> REGEX = (.{0,5}(#!))> DEST_KEY = queue> FORMAT = indexQueue
Based on http://docs.splunk.com/Documentation/Splunk/6.3.1/Forwarding/Routeandfilterdatad
Unfortunately everything is indexed in the index "abcindex" at the moment, and not only files starting with #!
I also tried it with a dummy string in a dummy file, but again: everything is indexed.
Rebooted Splunk after changing config files.
Any idea what goes wrong here?
Using Splunk 6.3.1 at the moment.
Thanks
↧