https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-on-nullQueue/m-p/67344#M13537 <P>Thank you for taking an interest.</P> <P>We are using universal forwarders on the windows boxes to send the information back to a Linux ran Splunk instance. I believe that means we are not going wmi (since the splunk server isn't pulling the logs itself). Do you know what I should use in its place? I was also under the impression that universal forwarders cannot do this filter themselves, but my boss was potentially told something else?</P> <P>Single server Splunk at this time (ignoring the universal forwarders).</P> Fri, 21 Jun 2013 14:34:48 GMT millerjc123 2013-06-21T14:34:48Z https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-on-nullQueue/m-p/67342#M13535 <P>Hello Everyone,</P> <P>I know there are questions similar to mine, but I cannot seem to transform them into a solution for my problem. I am trying to dump information event logs to the nullQueue so they do not count against the cap (company still deciding if they want Splunk). What I currently have is (sorry if new lines are messed up):</P> <P>transforms.conf:</P> <P>[RemoveInformation]</P> <P>REGEX=(?m)Type\s*=\s*Information</P> <P>DEST_KEY = queue</P> <P>FORMAT = nullQueue</P> <P>props.conf:</P> <P>[WMI:WinEventLog:Application]</P> <P>TRANSFORMS-wmi= RemoveInformation</P> <P>[WMI:WinEventLog:Security]</P> <P>TRANSFORMS-wmi= RemoveInformation</P> <P>[WMI:WinEventLog:System]</P> <P>TRANSFORMS-wmi= RemoveInformation</P> <P>[WMI:WinEventLog:Setup]</P> <P>TRANSFORMS-wmi= RemoveInformation</P> <P>I don't believe it matters, but I am using windows based universal forwarder back to a debian based splunk server.</P> <P>Thank you for any and all suggestions.</P> Mon, 28 Sep 2020 14:07:35 GMT https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-on-nullQueue/m-p/67342#M13535 millerjc123 2020-09-28T14:07:35Z https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-on-nullQueue/m-p/67343#M13536 <P>A couple of questions. Are you collecting the logs via wmi? If not then the soucetypes will technically be different and not apply your null queue transform. Next question. Are you using dedicated indexers? If so anything with TRANSFORMS is an index time action and that config must be on each of your indexers not your search head to work.</P> Fri, 21 Jun 2013 14:04:32 GMT https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-on-nullQueue/m-p/67343#M13536 starcher 2013-06-21T14:04:32Z https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-on-nullQueue/m-p/67344#M13537 <P>Thank you for taking an interest.</P> <P>We are using universal forwarders on the windows boxes to send the information back to a Linux ran Splunk instance. I believe that means we are not going wmi (since the splunk server isn't pulling the logs itself). Do you know what I should use in its place? I was also under the impression that universal forwarders cannot do this filter themselves, but my boss was potentially told something else?</P> <P>Single server Splunk at this time (ignoring the universal forwarders).</P> Fri, 21 Jun 2013 14:34:48 GMT https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-on-nullQueue/m-p/67344#M13537 millerjc123 2013-06-21T14:34:48Z https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-on-nullQueue/m-p/67345#M13538 <P>How are you telling the splunk forwarder to pickup the windows logs? Are you using the Windows TA? Or did you create your own inputs.conf?</P> Fri, 21 Jun 2013 15:10:02 GMT https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-on-nullQueue/m-p/67345#M13538 starcher 2013-06-21T15:10:02Z https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-on-nullQueue/m-p/67346#M13539 <P>We originally turned them off since it set off the daily limit. We now have (in C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf):</P> <P>[WinEventLog:Application]<BR /> disabled = 0 <BR /> [WinEventLog:Security]<BR /> disabled = 0 <BR /> [WinEventLog:System]<BR /> disabled = 0 <BR /> [WinEventLog:Setup]<BR /> disabled = 0 </P> <H1>Enable <COMPANYNAME> Service Logs</COMPANYNAME></H1> <P>[WinEventLog:<COMPANYNAME>]<BR /> disabled = 0<BR /> start_from = oldest<BR /> current_only = 0<BR /> [WinEventLog:<COMPANYNAME> Services]<BR /> disabled = 0 <BR /> start_from = oldest<BR /> current_only = 0</COMPANYNAME></COMPANYNAME></P> Mon, 28 Sep 2020 14:09:02 GMT https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-on-nullQueue/m-p/67346#M13539 millerjc123 2020-09-28T14:09:02Z https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-on-nullQueue/m-p/67347#M13540 <P>There there is why it is not applying the regex. You have to match the sourcetype.<BR /> [WMI:WinEventLog:Security]<BR /> TRANSFORMS-wmi= RemoveInformation</P> <P>Needs to be<BR /> [WinEventLog:Security]<BR /> TRANSFORMS-WinSecRemove= RemoveInformation</P> Sat, 22 Jun 2013 00:02:17 GMT https://community.splunk.com/t5/Getting-Data-In/Newbie-Question-on-nullQueue/m-p/67347#M13540 starcher 2013-06-22T00:02:17Z