Event Forwarding Rules
You can configure event forwarding rules in the UI. This is only possible after creating at least one Event Forwarders.
Click , under in the side menu click to see and manage the event forwarding rules that apply to the repository.
Figure 107. Event Forwarding Rules
To create an event forwarding rule, specify a rule and select an already configured event forwarder.
The rule is a normal LogScale query. It is applied to the parsed events, and can be used to filter away events that you do not wish to forward, or add fields to or remove fields from the events before forwarding them. Any manipulation done to the events only apply to the forwarded events, whereas the events stored in LogScale will be the events that came out of the parser.
Click .
Attention
Warnings due to invalid files in lookup functions
When lookup query functions such as match(),
ioc:lookup(), or cidr() are
used in event forwarding rules, it might occur that the files
referenced in those functions are missing or invalid. In such cases,
LogScale reports a warning and adds
@error fields to the forwarded events.
Warning
Events with tag grouping and auto sharding
Event Forwarding does not forward
events with
tag
grouping and auto sharding applied. This means that tag grouped
fields are forwarded with their actual value, instead of their hashed
value. The #humioAutoShard tag is also
not forwarded. The rule can contain any transformation function, but
no aggregate functions. See Query Functions for
information on the different query types.