Hi splunkers,
I would like to remove headers from a cisco file. I've tried transforms configurations, but I can't get it work.
I ran a search to troubleshooting: `"index=_internal sourcetype=splunkd ignoreComments"` , with the follows results:
> -0200 ERROR regexExtractionProcessor - REGEX field must be specified> tranform_name=ignoreComments
Please find below details of the configurations:
`C:\Program Files\Splunk\etc\apps\search\local\inputs.conf`
[monitor://c:\cisco\*]
sourcetype = cisco_teste
disabled = false
index = treinamento
`C:\Program Files\Splunk\etc\apps\search\local\props.conf`
[cisco_teste]
TRANSFORMS-noComments = ignoreComments
`C:\Program Files\Splunk\etc\apps\search\local\tranforms.conf`
[ignoreComments]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue
Let me know if you guys need anything else, I really appreciate the help.
Cheers,
↧