Here is my setup. inputs.conf: [script://./bin/lsof.sh] interval = 600 sourcetype = lsof source = lsof props.conf: [script://./bin/lsof.sh] #also tried[lsof] & [source::lsof] TRANSFORMS-null...
See more...
Here is my setup. inputs.conf: [script://./bin/lsof.sh] interval = 600 sourcetype = lsof source = lsof props.conf: [script://./bin/lsof.sh] #also tried[lsof] & [source::lsof] TRANSFORMS-null = null_splunk_user, null_splunk_command, null_splunk, lsof_normal_queue transforms.conf: [null_splunk_user] REGEX = ^\S+\W+\d+\W+splunk\W+ DEST_KEY = queue FORMAT = nullQueue [null_splunk_command] REGEX = ^splunkd\W+\d+\W+splunk DEST_KEY = queue FORMAT = nullQueue [null_splunk] REGEX = ^splunkd DEST_KEY = queue FORMAT = nullQueue [lsof_normal_queue] REGEX = . DEST_KEY = queue FORMAT = indexQueue sample of data: splunkd 52507 splunk cwd DIR 202,1 4096 2 / splunkd 52507 splunk rtd DIR 202,1 4096 2 / splunkd 52507 splunk txt REG 202,1 76073192 409182 /opt/splunk/bin/splunkd python2.7 53347 splunk cwd DIR 202,1 4096 2 / splunk 53347 splunk rtd DIR 202,1 4096 2 / splunk 53347 splunk txt REG 202,1 577688 411002 /opt/splunk/bin/splunk splunkd 887 root cwd DIR 259,1 4096 2 / splunkd 887 root rtd DIR 259,1 4096 2 / splunkd 887 root txt REG 259,1 76073192 401488 /opt/splunk/bin/splunkd On the indexer you can see that the props & transforms rules: /opt/splunk/bin/splunk cmd btool props list --debug | grep lsof /opt/splunk/etc/slave-apps/Splunk_TA_nix/local/props.conf [lsof] /opt/splunk/bin/splunk cmd btool transforms list --debug | grep null_splunk /opt/splunk/etc/slave-apps/Splunk_TA_nix/local/transforms.conf [null_splunk] /opt/splunk/etc/slave-apps/Splunk_TA_nix/local/transforms.conf [null_splunk_command] /opt/splunk/etc/slave-apps/Splunk_TA_nix/local/transforms.conf [null_splunk_user] /opt/splunk/etc/slave-apps/Splunk_TA_nix/local/transforms.conf [lsof_normal_queue] I've tried multiple iterations of regexes/props/transforms. I've been restarting the index clusters after each update to no avail. The majority of the data I'm attempting to drop is on the indexers themselves, splunk monitoring splunk.