Configuring Nullqueue on Splunk for Windows

steelwool · ‎12-06-2010

I'm needing to filter certain syslog events before indexing to stay below our license limit. These syslog events are from a Cisco ASA and I know the source subnet to be filtered. Routing to the nullqueue sounds like the option I need to use but I just don't see how to do it on Splunk for Windows.

Sorry for the newby question but can anyone assist?

Thanks!!!!

dshakespeare_sp · ‎02-03-2012

Philippz

Can you try placing the transforms.conf and props.conf in the app directory is where sourcetype=cisco_asa is configured.

I am guessing this will be $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local

All should be well

philippz · ‎12-08-2011

Steelwool, did you find a solution for your issue?

I followed the guide mentioned by ziegfried and created the files:

C:\Program Files\Splunk\etc\system\local\props.conf

[cisco_asa]
TRANSFORMS-null= setnull

I also tried :

[source::udp:2000]
TRANSFORMS-null= setnull

I use the Cisco Security Suite App, thus the syslog port moved to 2000 for coexistence with the standard syslog service.

C:\Program Files\Splunk\etc\system\local\ransforms.conf

[setnull]
REGEX = (ASA-6-302014|ASA-6-302013|ASA-6-302016|ASA-6-302015)
DEST_KEY = queue
FORMAT = nullQueue

I have no idea what I should try next 😕 Please help!

ziegfried · ‎12-06-2010

You just have to create those files (props.conf and transforms.conf) in $SPLUNK_HOME/etc/system/local. Follow this guide: http://www.splunk.com/base/Documentation/4.1.6/Admin/Routeandfilterdata

steelwool · ‎12-06-2010

Sorry, meant to add that I expected to find the profs and transforms config files in the HOME/etc/system/local directory to edit them but they were not there.

Configuring Nullqueue on Splunk for Windows

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...