Getting Data In

How to filter logs with the word "version" to nullQueue on the Splunk Cloud Sandbox?

andremidea
Engager

I'm trying to filter logs with the 'version' word, and send them to the nullQueue.

First of all, i'm using the UniversalForwarder and Splunk Cloud sandbox, i tried to do this by using the config files,

Something like this,

props.conf

[default] 
TRANSFORMS-null = setnull

transforms.conf

[setnull]
REGEX = version
DEST_KEY = queue
FORMAT = nullQueue

But it didn't workout, then i read that with Splunk Cloud you need to do these configurations using the GUI.

It's quite confusing how to do this, every documentation is about the Enterprise Version.

I've tried to create a Field Transformation with this options:
regex = version
SourceKey = _raw
format = queue::nullQueue

But again, it doesn't work.

Any Ideas? Thanks.

0 Karma

yannK
Splunk Employee
Splunk Employee

The props/transforms have to be setup on the indexers (in this case the splunkcloud instance)
But on sandbox/trials you cannot install your own apps, and cannot reach support to get help.

Therefore the solution is to use a heavy forwarder to be able to parse the events before forwarding them. (see @acharlieh answer)

0 Karma

acharlieh
Influencer

I'll readily admit that I'm not on Splunk Cloud, but one option could be to introduce a Heavy Forwarder in your architecture. (So UF -> HF -> Splunk Cloud. )

Since a Heavy Forwarder does all of the parsing (which a UF does not*), and since you control all of the settings here, you can then nullQueue on the Heavy Forwarder (before data leaves your network). If you want more than you ever wanted to know about Splunk's ingestion process I recommend: http://wiki.splunk.com/Community:HowIndexingWorks

* ...Know that in limited circumstances, a UF can also nullQueue, but it's not broadly applicable

andremidea
Engager

Thanks, for the help.

I don't think i can have a heavy forwarder with Splunk Cloud, just the UF. I tried to do the props/transforms.conf at UF level but it doesn't works as you said.

I'm trying to use the Splunk GUI to do this, but it doesn't seem to work.

0 Karma

yannK
Splunk Employee
Splunk Employee

You can replace the Universal forwarder by a heavy forwarder (install a full splunk, and install the cloud forwarding app)

0 Karma

acharlieh
Influencer

According to the Splunk Cloud user manual, the way to get data that requires parsing to Splunk Cloud is to manage a Heavy Forwarder on premises. So I would think that setting up an HF is indeed an option with Cloud.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...