Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to setup a filter to drop specific events on the heavy forwarder?

arlombar1
Explorer
‎04-12-2019 07:41 AM

Hello, I'm trying to setup a filter to drop specific events that contain an event name from AWS. I've read through the splunk docs and the process seems straight forward:

On the HF where I am getting my input for AWS logs I've made the updates to the props.conf and transforms.conf file like so:

props.conf

[aws]
TRANSFORMS-set_null = to_null

transforms.conf

[to_null]
REGEX = eventname
DEST_KEY = queue
FORMAT = nullQueue

I did not list my regex in this example as I don't feel this is the issue (I've verified the expression works outside of splunk against the raw events).

Is there something else I am missing here? As a pre-caution ive also added the above files to my indexers, but am still seeing the events in question.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-13-2019 11:35 PM

You need to restart all Splunk instances on the nodes that run the first full instance of Splunk handling the data (your HFs). Old events will stay broken but new events will be correct.

0 Karma
Reply

somesoni2
Revered Legend
‎04-12-2019 09:20 AM

This configuration should be in first SplunkEnterprise instance that comes in your data flow, which I assume is your heavy forwarder. Did you restart Splunk on your HF after making this configuration change? Also, make sure the sourcetype name is correct.

0 Karma
Reply

arlombar1
Explorer
‎04-12-2019 11:31 AM

Looks to be working now, I must of forgot to restart splunkd on the HF. Do I need to have the same props/transforms on the indexers as well? Just trying to clean up where I can.

0 Karma
Reply

somesoni2
Revered Legend
‎04-12-2019 12:14 PM

No.. it's only required on the instance where events go through parsingQueue (which is HF in your case).

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...