All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Configuring Nullqueue on Splunk for Windows

steelwool
New Member
‎12-06-2010 04:54 PM

I'm needing to filter certain syslog events before indexing to stay below our license limit. These syslog events are from a Cisco ASA and I know the source subnet to be filtered. Routing to the nullqueue sounds like the option I need to use but I just don't see how to do it on Splunk for Windows.

Sorry for the newby question but can anyone assist?

Thanks!!!!

Tags (1)
0 Karma
Reply

dshakespeare_sp
Splunk Employee
Splunk Employee
‎02-03-2012 04:45 AM

Philippz

Can you try placing the transforms.conf and props.conf in the app directory is where sourcetype=cisco_asa is configured.

I am guessing this will be $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local

All should be well

0 Karma
Reply

philippz
New Member
‎12-08-2011 12:31 AM

Steelwool, did you find a solution for your issue?

I followed the guide mentioned by ziegfried and created the files:

C:\Program Files\Splunk\etc\system\local\props.conf

[cisco_asa]
TRANSFORMS-null= setnull

I also tried :

[source::udp:2000]
TRANSFORMS-null= setnull

I use the Cisco Security Suite App, thus the syslog port moved to 2000 for coexistence with the standard syslog service.

C:\Program Files\Splunk\etc\system\local\ransforms.conf

[setnull]
REGEX = (ASA-6-302014|ASA-6-302013|ASA-6-302016|ASA-6-302015)
DEST_KEY = queue
FORMAT = nullQueue

I have no idea what I should try next 😕 Please help!

0 Karma
Reply

ziegfried
Influencer
‎12-06-2010 05:47 PM

You just have to create those files (props.conf and transforms.conf) in $SPLUNK_HOME/etc/system/local. Follow this guide: http://www.splunk.com/base/Documentation/4.1.6/Admin/Routeandfilterdata

Reply

steelwool
New Member
‎12-06-2010 05:09 PM

Sorry, meant to add that I expected to find the profs and transforms config files in the HOME/etc/system/local directory to edit them but they were not there.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...