https://community.splunk.com/t5/Getting-Data-In/Filter-events-on-indexer-from-multiple-universal-forwarders/m-p/136077#M28016 <P>Do those files use the same sourcetype? If so, put the TRANSFORMS-foo value under that sourcetype.</P> Fri, 18 Apr 2014 16:45:21 GMT martin_mueller 2014-04-18T16:45:21Z https://community.splunk.com/t5/Getting-Data-In/Filter-events-on-indexer-from-multiple-universal-forwarders/m-p/136076#M28015 <P>We've about 20 universal forwarders monitoring different log files. Our system doesn't allow to use heavy forwarders because of their performance impact on data indexing.<BR /> These universal forwarders send their data to a couple of indexers.</P> <P>I've read <A href="http://docs.splunk.com/Documentation/Splunk/6.0.3/Forwarding/Routeandfilterdatad">Route and filter data</A> docu (<CODE>Discard specific events and keep the rest section</CODE>). My question is that as we have different source log files located on different boxes, how would I refer them in <CODE>props.conf</CODE> file:</P> <P><CODE>[source::?????]<BR /> TRANSFORMS-null= setnull</CODE></P> <P>For example, on one box I monitor /log/log.1 and on another /log/log.2. <BR /> Should I point the hostname after the <CODE>source::</CODE> as well? Could somebody show an example?</P> <P>Thanks in advance,<BR /> Alexey</P> Fri, 18 Apr 2014 13:54:21 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-events-on-indexer-from-multiple-universal-forwarders/m-p/136076#M28015 takemusu 2014-04-18T13:54:21Z https://community.splunk.com/t5/Getting-Data-In/Filter-events-on-indexer-from-multiple-universal-forwarders/m-p/136077#M28016 <P>Do those files use the same sourcetype? If so, put the TRANSFORMS-foo value under that sourcetype.</P> Fri, 18 Apr 2014 16:45:21 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-events-on-indexer-from-multiple-universal-forwarders/m-p/136077#M28016 martin_mueller 2014-04-18T16:45:21Z https://community.splunk.com/t5/Getting-Data-In/Filter-events-on-indexer-from-multiple-universal-forwarders/m-p/136078#M28017 <P>Yes, for now these files are using the same sourcetype (log4j). When you say <CODE>put the TRANSFORMS-foo value under that sourcetype</CODE> - do you mean editing sourcetype.conf?</P> Mon, 21 Apr 2014 07:45:36 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-events-on-indexer-from-multiple-universal-forwarders/m-p/136078#M28017 takemusu 2014-04-21T07:45:36Z https://community.splunk.com/t5/Getting-Data-In/Filter-events-on-indexer-from-multiple-universal-forwarders/m-p/136079#M28018 <P>Editing sourcetypes.conf rarely ever is required, your own sourcetype settings reside in props.conf.</P> <P>Put your transforms list under your common sourcetype <CODE>log4j</CODE> in props.conf:</P> <PRE><CODE>[log4j] TRANSFORMS-null = ... </CODE></PRE> <P>Remember, this will affect every event with <CODE>sourcetype=log4j</CODE> regardless of <CODE>host</CODE> and <CODE>sourcetype</CODE>.</P> Mon, 21 Apr 2014 09:33:26 GMT https://community.splunk.com/t5/Getting-Data-In/Filter-events-on-indexer-from-multiple-universal-forwarders/m-p/136079#M28018 martin_mueller 2014-04-21T09:33:26Z