I think I know how to do this but I thought it would be best to check with some of the experts here first.   I am upgrading the hardware (storage expansion) on our indexers and this will require turning off and unplugging each device. Indexers are clustered with a Replication Factor of 2. From what I have read: I can issue the 'splunk offline' command on the indexer I am working on Wait for the indexer to wrap up any tasks Then shut down and unplug the machine to perform this upgrade Once complete, I can plug it back in and turn it back on (make sure Splunk starts running again) Am i missing anything important? Thanks! ... View more

Greetings, I have been reading through documentation and responses on here about filtering out specific events at the heavy forwarder (trying to reduce our daily ingest). In the local folder for our Splunk_TA_juniper app I have created a props.conf and a transforms.conf and set owner/permissions to match other .conf files. props.conf: # Filter teardown events from Juniper syslogs into the nullqueue [juniper:junos:firewall:structured] TRANSFORMS-null= setnull transforms.conf # Filter juniper teardown logs to nullqueue [setnull] REGEX = RT_FLOW_SESSION_CLOSE DEST_KEY = queue FORMAT = nullQueue I restarted the Splunk service... but I'm still getting these events. Not sure what I did wrong. I pulled some raw event text and tested the regex in PowerShell (worked with -match). Any help would be greatly appreciated! ... View more