Hi Team,
We want to drop events which conatins keyword "error"
Below is our setup:
universal forwarder ------>Heavy weight forwarder -------->indexer/cloud
we have multiple univeral forwarders which are sending logs directly to indexers.We want to filter these logs via heavy weight forwaders.So we are sending logs from universal forwarder to heavy weight forwarder.
can filtering be achieved by our setup?
Belwo are config we created for filtering events,but it snot woeking:
my prop.conf on heavy weight forwarder
[sourcetypename]
TRANSFORMS-set= setnull,setparsing
transforms.conf on heavy weight forwarder:
[setnull]
REGEX =error
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
I'm I missing something?
DO I need to mention something like tcp_routing etc as logs are forwarded by universal forwarder to heavy weight forwarder?
Please advise
↧