Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About ParsaIsHash
ParsaIsHash
Loves-to-Learn Lots
Member since:
03-10-2025
12-09-2025
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 03-10-2025 |
Activity Feed
- Posted Splunk Enterprise 9.4.7 released but not listed in the official Products Version Compatibility Matrix – is this expected on Splunk Enterprise. 12-09-2025 03:04 AM
- Posted Re: How to Drop All Logs Under a Specific Directory and Its Subdirectories Using props.conf & transforms.conf on a H on Getting Data In. 03-12-2025 01:43 AM
- Posted Re: How to Drop All Logs Under a Specific Directory and Its Subdirectories Using props.conf & transforms.conf on a H on Getting Data In. 03-11-2025 07:27 AM
- Posted Re: How to Drop All Logs Under a Specific Directory and Its Subdirectories Using props.conf & transforms.conf on a H on Getting Data In. 03-11-2025 01:55 AM
- Posted Re: How to Drop All Logs Under a Specific Directory and Its Subdirectories Using props.conf & transforms.conf on a H on Getting Data In. 03-10-2025 11:57 PM
- Posted Re: How to Drop All Logs Under a Specific Directory and Its Subdirectories Using props.conf & transforms.conf on a H on Getting Data In. 03-10-2025 11:56 PM
- Posted Re: How to Drop All Logs Under a Specific Directory and Its Subdirectories Using props.conf & transforms.conf on a H on Getting Data In. 03-10-2025 11:54 PM
- Posted How to Drop All Logs Under a Specific Directory and Its Subdirectories Using props.conf & transforms.conf on a Heavy For on Getting Data In. 03-10-2025 09:36 AM
Topics I've Started
12-09-2025
03:04 AM
Hi Splunk Community & Splunk Docs team, Splunk Enterprise 9.4.7 was released on November 26, 2025 (fixed issues page is already live): https://help.splunk.com/en/splunk-enterprise/release-notes-and-updates/release-notes/9.4/fixed-issues/fixed-issues/splunk-enterprise-9.4.7-fixed-issues However, the official Splunk Products Version Compatibility Matrix still only lists up to 9.4.6 and does not include 9.4.7: https://help.splunk.com/en/splunk-enterprise/release-notes-and-updates/compatibility-matrix/splunk-products-version-compatibility/splunk-products-version-compatibility-matrix We are in the final planning stage of a large SOC migration/upgrade and this specific gap is currently blocking sign-off because leadership requires the version to be explicitly present in the compatibility matrix (especially for Splunk Enterprise Security, CIM Add-on, and SOAR integrations). Questions: 1. Is it safe to assume that 9.4.7 inherits exactly the same compatibility as the rest of the 9.4.x line (no changes introduced in 9.4.7)? 2. When can we expect the compatibility matrix to be updated to include 9.4.7? 3. Is there any official statement or internal ticket we can reference in the meantime? Any clarification from Splunk employees, docs team, or MVPs would be greatly appreciated. Thank you!
... View more
Labels
- Labels:
-
using Splunk Enterprise
03-12-2025
01:43 AM
I have already checked, and the transform configuration is correct with no conflicts in other Splunk settings. Currently, to filter out sources properly, I have to explicitly define each depth of subdirectories using patterns like: [source::/var/log/apple/*]
TRANSFORMS-null=discard_apple_logs
[source::/var/log/apple/*/*]
TRANSFORMS-null=discard_apple_logs This ensures that logs from different levels of subdirectories are included in the filtering process. it's quite strange that Splunk can't handle this scenario if that's the case. Use cases like mine should be fairly common, so I would expect a more straightforward way to handle this.
... View more
03-11-2025
07:27 AM
Yes, it's working correctly. For example, I am reindexing /var/log/syslog to index=os_logs, and it applies as expected.
... View more
03-11-2025
01:55 AM
The only thing happening on this Heavy Forwarder is collecting logs, assigning an index based on the source using transforms.conf and props.conf, and then forwarding them to the indexer cluster.
... View more
03-10-2025
11:57 PM
yes you right and i described why i can't in others answer about it
... View more
03-10-2025
11:56 PM
i described that why i cannot access the inputs file on UF its because of that we do not have permission to access the host
... View more
03-10-2025
11:54 PM
The reason I’m not using inputs.conf with a blacklist is that the hosts sending these logs are managed by another company. They control the Universal Forwarders (UF) and their input configurations, meaning we don’t have access to modify them. However, we still need to mask and drop these logs at our end.
... View more
03-10-2025
09:36 AM
Description: I am using a Splunk Heavy Forwarder (HF) to forward logs to an indexer cluster. I need to configure props.conf and transforms.conf on the HF to drop all logs that originate from a specific directory and any of its subdirectories, without modifying the configuration each time a new subdirectory is created. Scenario: The logs I want to discard are located under /var/log/apple/. This directory contains dynamically created subdirectories, such as: /var/log/apple/nginx/
/var/log/apple/db/intro/
/var/log/apple/some/other/depth/ New subdirectories are added frequently, and I cannot manually update the configuration every time. Attempted Solution: I configured props.conf as follows: [source::/var/log/apple(/.*)?]
TRANSFORMS-null=discard_apple_logs And in transforms.conf: [discard_apple_logs]
REGEX = . DEST_KEY = queue
FORMAT = nullQueue However, this does not seem to work, as logs from the subdirectories are still being forwarded to the indexers. Question: What is the correct way to configure props.conf and transforms.conf to drop all logs under /var/log/apple/, including those from any newly created subdirectories? How can I ensure that this rule applies recursively without explicitly listing multiple wildcard patterns? Any guidance would be greatly appreciated!
... View more
Labels
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-09-2025
04:29 AM
|
