I've got a seemingly simple problem that I'm having a bit of difficulty on. I've been tasked with excluding log events containing a specific text string (in this case, an IP address) from being indexed in Splunk. I've done similar with sources such as Windows event logs (using props.conf and transforms.conf to send to nullQueue based on a regex), but the catch this time is that the event could come from any host, and be any sourcetype. Basically, "if any event comes into Splunk with this text string, send it to nullQueue." Any ideas?
↧