Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About ParsaIsHash
ParsaIsHash
Loves-to-Learn Lots
Member since:
03-10-2025
03-12-2025
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 03-10-2025 |
Activity Feed
- Posted Re: How to Drop All Logs Under a Specific Directory and Its Subdirectories Using props.conf & transforms.conf on a H on Getting Data In. 03-12-2025 01:43 AM
- Posted Re: How to Drop All Logs Under a Specific Directory and Its Subdirectories Using props.conf & transforms.conf on a H on Getting Data In. 03-11-2025 07:27 AM
- Posted Re: How to Drop All Logs Under a Specific Directory and Its Subdirectories Using props.conf & transforms.conf on a H on Getting Data In. 03-11-2025 01:55 AM
- Posted Re: How to Drop All Logs Under a Specific Directory and Its Subdirectories Using props.conf & transforms.conf on a H on Getting Data In. 03-10-2025 11:57 PM
- Posted Re: How to Drop All Logs Under a Specific Directory and Its Subdirectories Using props.conf & transforms.conf on a H on Getting Data In. 03-10-2025 11:56 PM
- Posted Re: How to Drop All Logs Under a Specific Directory and Its Subdirectories Using props.conf & transforms.conf on a H on Getting Data In. 03-10-2025 11:54 PM
- Posted How to Drop All Logs Under a Specific Directory and Its Subdirectories Using props.conf & transforms.conf on a Heavy For on Getting Data In. 03-10-2025 09:36 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
03-12-2025
01:43 AM
I have already checked, and the transform configuration is correct with no conflicts in other Splunk settings. Currently, to filter out sources properly, I have to explicitly define each depth of subdirectories using patterns like: [source::/var/log/apple/*]
TRANSFORMS-null=discard_apple_logs
[source::/var/log/apple/*/*]
TRANSFORMS-null=discard_apple_logs This ensures that logs from different levels of subdirectories are included in the filtering process. it's quite strange that Splunk can't handle this scenario if that's the case. Use cases like mine should be fairly common, so I would expect a more straightforward way to handle this.
... View more
03-11-2025
07:27 AM
Yes, it's working correctly. For example, I am reindexing /var/log/syslog to index=os_logs, and it applies as expected.
... View more
03-11-2025
01:55 AM
The only thing happening on this Heavy Forwarder is collecting logs, assigning an index based on the source using transforms.conf and props.conf, and then forwarding them to the indexer cluster.
... View more
03-10-2025
11:57 PM
yes you right and i described why i can't in others answer about it
... View more
03-10-2025
11:56 PM
i described that why i cannot access the inputs file on UF its because of that we do not have permission to access the host
... View more
03-10-2025
11:54 PM
The reason I’m not using inputs.conf with a blacklist is that the hosts sending these logs are managed by another company. They control the Universal Forwarders (UF) and their input configurations, meaning we don’t have access to modify them. However, we still need to mask and drop these logs at our end.
... View more
03-10-2025
09:36 AM
Description: I am using a Splunk Heavy Forwarder (HF) to forward logs to an indexer cluster. I need to configure props.conf and transforms.conf on the HF to drop all logs that originate from a specific directory and any of its subdirectories, without modifying the configuration each time a new subdirectory is created. Scenario: The logs I want to discard are located under /var/log/apple/. This directory contains dynamically created subdirectories, such as: /var/log/apple/nginx/
/var/log/apple/db/intro/
/var/log/apple/some/other/depth/ New subdirectories are added frequently, and I cannot manually update the configuration every time. Attempted Solution: I configured props.conf as follows: [source::/var/log/apple(/.*)?]
TRANSFORMS-null=discard_apple_logs And in transforms.conf: [discard_apple_logs]
REGEX = . DEST_KEY = queue
FORMAT = nullQueue However, this does not seem to work, as logs from the subdirectories are still being forwarded to the indexers. Question: What is the correct way to configure props.conf and transforms.conf to drop all logs under /var/log/apple/, including those from any newly created subdirectories? How can I ensure that this rule applies recursively without explicitly listing multiple wildcard patterns? Any guidance would be greatly appreciated!
... View more
Labels
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-12-2025
05:04 AM
|
