Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to setup a filter to drop specific events on t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to setup a filter to drop specific events on the heavy forwarder?
Hello, I'm trying to setup a filter to drop specific events that contain an event name from AWS. I've read through the splunk docs and the process seems straight forward:
On the HF where I am getting my input for AWS logs I've made the updates to the props.conf and transforms.conf file like so:
props.conf
[aws]
TRANSFORMS-set_null = to_null
transforms.conf
[to_null]
REGEX = eventname
DEST_KEY = queue
FORMAT = nullQueue
I did not list my regex in this example as I don't feel this is the issue (I've verified the expression works outside of splunk against the raw events).
Is there something else I am missing here? As a pre-caution ive also added the above files to my indexers, but am still seeing the events in question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to restart all Splunk instances on the nodes that run the first full instance of Splunk handling the data (your HFs). Old events will stay broken but new events will be correct.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This configuration should be in first SplunkEnterprise instance that comes in your data flow, which I assume is your heavy forwarder. Did you restart Splunk on your HF after making this configuration change? Also, make sure the sourcetype name is correct.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks to be working now, I must of forgot to restart splunkd on the HF. Do I need to have the same props/transforms on the indexers as well? Just trying to clean up where I can.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No.. it's only required on the instance where events go through parsingQueue (which is HF in your case).
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
