Hi community , I am trying to filter out some undesired traffic from a particular index. I read about the option using props.conf and transforms.conf. The query matching the traffic that I don't want, looks like this: index=abc sourcetype=abc_traffic dest_ip=255.255.255.255 The index abc is located in the search App. So, I went to my Search Head -> opt/splunk/etc/apps/search/local and modified the props.conf with the following: [abc_traffic] TRANSFORMS-null= broadcast-null Then, I created a TRANSFORMS.conf file in the same directory with the following entry: [broadcast-null] REGEX= dest_ip= 255.255.255.255 DEST_KEY= queue FORMAT= nullQueue Restarted splunk I am not sure if I am doing something wrong, maybe I am using the wrong location or format, not sure, I don't have too much experience managing Splunk. Appreciated any help!
... View more