Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to drop data from a HEC Collector?

skirven
Communicator
‎05-04-2022 04:13 AM

Hi, 
   I'm trying to isolate why I'm not able to drop data from a HEC Collector endpoint. I have some docker logs I don't need to ingest. The Splunk HF is still on 7.3.8 for backwards compatibility, so I don't know if that's in play here. I checked with btool, and the files did load correctly.

inputs.conf:
 - Sidenote here: When I set "source" value, it remained as "httpevent". But when I changed Sourcetype, the event changed correctly, which is odd.

 

 

[http://tpas_token]
disabled = 0
index = elm-tpas-spc
token = DD0D58D8-9F38-4A96-956C-XXXXXXXXXXXXXX
source = tpas-event
sourcetype = tpas-event

 

 

props.conf
 - Sidenote: I tried also [ tpas-event ], and that also did not work

 

 

[ source::tpas-event ]
TRANSFORMS-drop-handlers = drop-handlers

 

 

 transforms.conf

 

 

[ drop-handlers ]
REGEX = handlers.py|connection.py
DEST_KEY = queue
FORMAT = nullQueue

 

 

 

Labels (2)
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...