@richgalloway wrote: There can be many props.conf and transforms.conf files in a Splunk instance. You'll find them in $SPLUNK_HOME/etc/system/default, $SPLUNK_HOME/etc/system/local, $SPLUNK_HOME/etc/apps/<appname>/default, and $SPLUNK_HOME/etc/apps/<appname>/local (ignoring user-specific files). Splunk combines them all, using precedence rules, to produce a run-time configuration. Never modify a .conf file in a default directory. Any such changes will be lost the next time Splunk or the app is upgraded. Where do you make your changes? In the app that defines the sourcetype being modified. That may be a Cisco add-on or a custom app. Your architecture seems unusual. A search head cluster is supposed to have at least 3 search heads and you don't mention indexers at all. The settings to send unwanted events to the null queue must be installed on each indexer. If you don't have separate indexers then the settings go on the SHs. Sorry as I'm new to splunk. I have 1 search head and 2 indexers. Do I need to change the files on the search head or indexer? My /opt path on both machines has these folders splunkforwarder, splunk_indexer, syslog
... View more