Hello, I'm trying to setup a filter to drop specific events that contain an event name from AWS. I've read through the splunk docs and the process seems straight forward:
On the HF where I am getting my input for AWS logs I've made the updates to the props.conf and transforms.conf file like so:
[aws] TRANSFORMS-set_null = to_null
[to_null] REGEX = eventname DEST_KEY = queue FORMAT = nullQueue
I did not list my regex in this example as I don't feel this is the issue (I've verified the expression works outside of splunk against the raw events).
Is there something else I am missing here? As a pre-caution ive also added the above files to my indexers, but am still seeing the events in question.
You need to restart all Splunk instances on the nodes that run the first full instance of Splunk handling the data (your HFs). Old events will stay broken but new events will be correct.
This configuration should be in first SplunkEnterprise instance that comes in your data flow, which I assume is your heavy forwarder. Did you restart Splunk on your HF after making this configuration change? Also, make sure the sourcetype name is correct.