Hi to minimize the size of a index I would like to filter events for status 200
This is my config files:
inputs.conf [monitor://C:Logs*.log] disabled = false followTail = 0 host = CACA index = basura sourcetype = webexchange
props.conf
[webexchange]
TRANSFORMS-set= descartar
transforms.conf
[descartar]
REGEX = (?i)^(?:[^\.]*\.){8}\d+\s+(200)
DEST_KEY = queue
FORMAT = nullQueue
events:
2013-07-13 23:59:59 W3SVC1 222.222.222.222 HEAD /OAB/4abc7b21-fb88-473a-acfc-83660b79ff57/oab.xml - 443 - 172.26.12.166 Microsoft+BITS/7.5 401 2 2148074254
2013-07-14 00:00:00 W3SVC1 333.333.333.333 POST /Microsoft-Server-ActiveSync/default.eas Cmd=Sync&User=xxxxxxxxxxxx&DeviceId=SEC1DCF083B0E526&DeviceType=SAMSUNGGTI9300&Log=V121_Fc1_Fid:8_Ty:Co_Filt0_St:S_Sk:1918965444_Sst9_LdapC0_LdapL0_RpcC21_RpcL31_Ers1_Pk3820395887_S1_ 443 xxxxxxx\xxxxxxxx 222.222.222.222 xxxxxxxxxxxxx/100.40102 200 0 0
2013-07-14 00:00:44 W3SVC1 333.333.333.333 POST /Microsoft-Server-ActiveSync/default.eas Cmd=FolderSync&User=xxxxxxxxxxxxx&DeviceId=SAMSUNG11091299461&DeviceType=SAMSUNGGTI9100&Log=V121_St:S_LdapC0_LdapL0_RpcC16_RpcL46_Pk3430192398_ 443 xxxxxxxx/xxxxxxx 222.222.2222.222 xxxxxxxxxxxxxxxxx/100.40102 200 0 0