You can add a processing rule to an existing source or create a processing rule when you configure a new source.
To create a processing rule for an existing source, go to Manage Data > Collection > Collection (Manage > Collection in the classic UI) and click Edit next to a source. Click the menu next to Processing Rules, and then click Add Rule.
To create a processing rule for a source that you're configuring, click the menu next to Processing Rules, and then click Add Rule.
- The Add Rule dialog is displayed.
- Type a Name for this rule. (Names have a maximum of 32 characters.)
- For Filter, type a regular expression that defines the messages you want to filter. The rule must match the whole message.
- For single line messages, add .* to the beginning and ending of the segment, such as: .*matching text.*
- For multi-line log messages, to get the lines before and after the line containing your text, wrap the segment with (?s).* such as: (?s).*matching text(?s).*
- Choose the type of processing rule you'd like to create:
- Exclude messages that match. Remove messages that you don't want to send to Sumo Logic at all (think of it as a "black list" filter). These messages are skipped after reaching the Source and are not uploaded to Sumo Logic.
- Include messages that match. Send only the data you'd like in your Sumo Logic account (a "white list" filter). This type of filter can be very useful when the list of log data you want to send to Sumo Logic is easier to filter than setting up exclude filters for all of the types of messages you'd like to exclude, for example, if you only want to include only messages coming from a firewall.
- Hash messages that match. Replace an message with a unique, randomly-generated code to protect sensitive or proprietary information. You may want to hash unique identifiers, such as credit card numbers or user names. By hashing this type of data, you can still track it, even though it's fully hidden.
- Mask messages that match. Replace an expression with a mask string that you can customize—another option to protect data, such as passwords, that you wouldn't normally track.