×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
domi
Engager
Member since: ‎11-11-2025
‎11-11-2025
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-11-2025
Activity Feed
Topics I've Started
View All

Re: can not get transforms to work

by in Splunk Cloud Platform
‎11-12-2025 01:01 AM
‎11-12-2025 01:01 AM
Hello PickelRick, thank you for your insight and explanation. I managed to solve my problem with a ruleset.   best regards    Domi  ... View more

Re: can not get transforms to work

by in Splunk Cloud Platform
‎11-11-2025 04:07 AM
‎11-11-2025 04:07 AM
Hi livehybrid, thank you for the reply. the data is coming directly from the Exchange Servers with installed Universal Forwarder. We do not use HFs. Do i have to put the props and transports config also on the search heads? Or do i have to toggle a switch to enable processing of the custom config?  i do not know where to look   best regards  Domi ... View more

can not get transforms to work

by in Splunk Cloud Platform
‎11-11-2025 02:56 AM
‎11-11-2025 02:56 AM
Hello, I can not get transforms to work. I have read a lot of posts but it seams I'm missing something. i want to use the Microsoft IIS Add on. I have installed it in the Splunk farm. Now there are some Events I do not need and want them excluded from indexing. I have added /opt/splunk/etc/manager-apps/Splunk_TA_microsoft-iis/local/props.conf [ms:iis:auto] TRANSFORMS-remove_healthcheck = remove_health_check TRANSFORMS-remove_aes = remove_active_sync and /opt/splunk/etc/manager-apps/Splunk_TA_microsoft-iis/local/transforms.conf [remove_health_check] REGEX = .*healthcheck.htm.* DEST_KEY = queue FORMAT = nullQueue [remove_active_sync] REGEX = .*Microsoft-Server-ActiveSync.* DEST_KEY = queue FORMAT = nullQueue and the redeployed the bundle with ../bin/splunk apply cluster-bundle --answer-yes WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Created new bundle with checksum=8F0F556530244F68D99DC60D00CBB8CD Applying new bundle. The peers may restart depending on the configurations in applied bundle. Please run 'splunk show cluster-bundle-status' for checking the status of the applied bundle. OK ../bin/splunk show cluster-bundle-status WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. master cluster_status=None active_bundle checksum=8F0F556530244F68D99DC60D00CBB8CD timestamp=1762857886 (in localtime=Tue Nov 11 10:44:46 2025) latest_bundle checksum=8F0F556530244F68D99DC60D00CBB8CD timestamp=1762857886 (in localtime=Tue Nov 11 10:44:46 2025) last_validated_bundle checksum=8F0F556530244F68D99DC60D00CBB8CD last_validation_succeeded=1 timestamp=1762857886 (in localtime=Tue Nov 11 10:44:46 2025) last_check_restart_bundle last_check_restart_result=restart not required checksum= timestamp=0 (in localtime=Thu Jan 1 00:00:00 1970) splunkindexcn3 749BF3E2-CAA8-442F-9957-9A8BCD34C35C default active_bundle=8F0F556530244F68D99DC60D00CBB8CD latest_bundle=8F0F556530244F68D99DC60D00CBB8CD last_validated_bundle=8F0F556530244F68D99DC60D00CBB8CD last_bundle_validation_status=success restart_required_apply_bundle=0 status=Up splunkindexcn1 74C24C34-8967-4D87-B0EF-F71B0E3DB18C default active_bundle=8F0F556530244F68D99DC60D00CBB8CD latest_bundle=8F0F556530244F68D99DC60D00CBB8CD last_validated_bundle=8F0F556530244F68D99DC60D00CBB8CD last_bundle_validation_status=success restart_required_apply_bundle=0 status=Up splunkindexcn2 D376D738-D61B-4F92-A685-C8D546798D55 default active_bundle=8F0F556530244F68D99DC60D00CBB8CD latest_bundle=8F0F556530244F68D99DC60D00CBB8CD last_validated_bundle=8F0F556530244F68D99DC60D00CBB8CD last_bundle_validation_status=success restart_required_apply_bundle=0 status=Up ../bin/splunk rolling-restart cluster-peers But the Events are still in the search.  I am new to Splunk and we set up the Farm with a Consultant but now i want to make changes on my own. Is there a Log where i can see if the transforms getting called oder something else. Here are the Event i want to get rid off: 2025-11-10 23:59:54 Server  IP POST /Microsoft-Server-ActiveSync/default.eas Cmd=Ping&User=blablabla... 2025-11-10 23:59:55 Server IP GET /mapi/healthcheck.htm - 443 - IP HTTP/1.0 - - IP:443 200 0 0 4 - - on I hope someone can give me a hint  where to look.   best regards Domi ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-11-2025 02:36 AM