Hi all, Im trying to do file nullQueue filtering on my HWF.
I want to keep the log entries for /sausages but drop the ones for /sausages/data
So far I have this: (test setup on desktop)
**PROPS.CONF**
[source::/home/splunk/Desktop/xxx/fs-audit.log*]
TRANSFORMS-set= setnull,whitelist,blacklist
**TRANSFORMS.CONF**
[setnull]
REGEX= .
DEST_KEY = queue
FORMAT = nullQueue
[whitelist]
REGEX = /sausages
DEST_KEY = queue
FORMAT = indexQueue
[blacklist]
REGEX = /sausages/data
DEST_KEY = queue
FORMAT = nullQueue
I did play with escaping the slashes like \/sausages\/ but that didnt work either.
Thanks in advance.
↧