I have some logs that can include any one of 50,000+ users. But, i only need to index and keep a subset of that -- approximately 2000 users.. I'm looking for the most efficient way to only include logs that are associated with these users.
I thought of using transforms.conf and doing a ridiculously long regex to match those users, but, looking for any better ideas.
Props.conf [host::blah] TRANSFORMS-null= setnull
Tranforms.conf [setnull] REGEX= DEST_KEY=queue FORMAT=nullQueue