I'm trying to filter logs with the 'version' word, and send them to the nullQueue.
First of all, i'm using the UniversalForwarder and Splunk Cloud sandbox, i tried to do this by using the config files,
Something like this,
props.conf
[default]
TRANSFORMS-null = setnull
transforms.conf
[setnull]
REGEX = version
DEST_KEY = queue
FORMAT = nullQueue
But it didn't workout, then i read that with Splunk Cloud you need to do these configurations using the GUI.
It's quite confusing how to do this, every documentation is about the Enterprise Version.
I've tried to create a Field Transformation with this options:
regex = version
SourceKey = _raw
format = queue::nullQueue
But again, it doesn't work.
Any Ideas? Thanks.
The props/transforms have to be setup on the indexers (in this case the splunkcloud instance)
But on sandbox/trials you cannot install your own apps, and cannot reach support to get help.
Therefore the solution is to use a heavy forwarder to be able to parse the events before forwarding them. (see @acharlieh answer)
I'll readily admit that I'm not on Splunk Cloud, but one option could be to introduce a Heavy Forwarder in your architecture. (So UF -> HF -> Splunk Cloud. )
Since a Heavy Forwarder does all of the parsing (which a UF does not*), and since you control all of the settings here, you can then nullQueue on the Heavy Forwarder (before data leaves your network). If you want more than you ever wanted to know about Splunk's ingestion process I recommend: http://wiki.splunk.com/Community:HowIndexingWorks
* ...Know that in limited circumstances, a UF can also nullQueue, but it's not broadly applicable
Thanks, for the help.
I don't think i can have a heavy forwarder with Splunk Cloud, just the UF. I tried to do the props/transforms.conf at UF level but it doesn't works as you said.
I'm trying to use the Splunk GUI to do this, but it doesn't seem to work.
You can replace the Universal forwarder by a heavy forwarder (install a full splunk, and install the cloud forwarding app)
According to the Splunk Cloud user manual, the way to get data that requires parsing to Splunk Cloud is to manage a Heavy Forwarder on premises. So I would think that setting up an HF is indeed an option with Cloud.