I am pulling logs from the firewalls via scripts on a heavy forwarder (via scrips from the app for Checkpoint). How to create props.conf and transfoms.conf to filter some logs from being indexed by the indexers. And where to put them? In the $Splunk/etc/apps/APP_NAME/local folder or in the $SPLUNK/etc/system/local/ folder on the heavy forwarder?
This is what I've got so far and it doesn't seem to be picking up the logs that I want to filter out.
**props.conf:**
[source::...opsec]
sourcetype = opsec
[opsec]
TRANSFORMS-set= setnull, setparsing
**transforms.conf**
[setnull]
REGEX = LAB
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX = .
DEST_KEY = queue
FORMAT = indexQueue
↧