https://community.splunk.com/t5/Getting-Data-In/Best-way-to-nullQueue-DNS-logs-by-source/m-p/490761#M83885 <P>@adalbor need two pieces of info:<BR /> 1) what is the deployment architecture?<BR /> 2) Did you reload the indexers to get the new props and transforms config ?</P> Mon, 16 Mar 2020 23:55:40 GMT anmolpatel 2020-03-16T23:55:40Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-nullQueue-DNS-logs-by-source/m-p/490759#M83883 <P>Hey All,</P> <P>Was just curious if there was a more efficient way of dropping DNS events by the actual query source rather than what I have below.</P> <PRE><CODE>[MSAD:NT6:DNS] TRANSFORMS-dropdns=dropdns [dropdns] REGEX=.*IPOFSOURCE.* DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> Wed, 11 Mar 2020 15:33:51 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-nullQueue-DNS-logs-by-source/m-p/490759#M83883 adalbor 2020-03-11T15:33:51Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-nullQueue-DNS-logs-by-source/m-p/490760#M83884 <P>I modified it to include another IP but it doesnt appear to be working. Have this on all of my IDX's.<BR /> Any suggestions?</P> <PRE><CODE>[MSAD:NT6:DNS] TRANSFORMS-dropdns = dropdns [dropdns] REGEX=.*1.1.1.1.*|.*2.2.2.2.* DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> Mon, 16 Mar 2020 17:37:54 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-nullQueue-DNS-logs-by-source/m-p/490760#M83884 adalbor 2020-03-16T17:37:54Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-nullQueue-DNS-logs-by-source/m-p/490761#M83885 <P>@adalbor need two pieces of info:<BR /> 1) what is the deployment architecture?<BR /> 2) Did you reload the indexers to get the new props and transforms config ?</P> Mon, 16 Mar 2020 23:55:40 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-nullQueue-DNS-logs-by-source/m-p/490761#M83885 anmolpatel 2020-03-16T23:55:40Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-nullQueue-DNS-logs-by-source/m-p/490762#M83886 <P>1) Clustered indexers and UF's on the servers with the DNS logs<BR /> 2) Yes after every change</P> Tue, 17 Mar 2020 13:37:28 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-nullQueue-DNS-logs-by-source/m-p/490762#M83886 adalbor 2020-03-17T13:37:28Z https://community.splunk.com/t5/Getting-Data-In/Best-way-to-nullQueue-DNS-logs-by-source/m-p/490763#M83887 <P>I ended up resolving the issue I had. The UF in question that wasn't working was going through a HF rather than straight to my IDX's</P> <P>Applied the following to the HF's and IDX's and it started dropping the matching events.</P> <P>Support also recommended I use source rather than sourcetype as it was more reliable.</P> <P>Props.conf<BR /> [source::c:\DNSLOGS\dns.log]<BR /> TRANSFORMS-dropdns=dropdns1,dropdns2</P> <P>Transforms.conf<BR /> [dropdns1]<BR /> REGEX = .<EM>1.1.1.1.</EM><BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[dropdns2]<BR /> REGEX = .<EM>2.2.2.2.</EM><BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> Tue, 24 Mar 2020 15:47:22 GMT https://community.splunk.com/t5/Getting-Data-In/Best-way-to-nullQueue-DNS-logs-by-source/m-p/490763#M83887 adalbor 2020-03-24T15:47:22Z