Quantcast
Channel: Questions in topic: "props.conf"
Viewing all articles
Browse latest Browse all 1485

Filter out logs using props.conf and transfors.conf

$
0
0
I am pulling logs from the firewalls via scripts on a heavy forwarder (via scrips from the app for Checkpoint). How to create props.conf and transfoms.conf to filter some logs from being indexed by the indexers. And where to put them? In the $Splunk/etc/apps/APP_NAME/local folder or in the $SPLUNK/etc/system/local/ folder on the heavy forwarder? This is what I've got so far and it doesn't seem to be picking up the logs that I want to filter out. **props.conf:** [source::...opsec] sourcetype = opsec [opsec] TRANSFORMS-set= setnull, setparsing **transforms.conf** [setnull] REGEX = LAB DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = . DEST_KEY = queue FORMAT = indexQueue

Viewing all articles
Browse latest Browse all 1485

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>