All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Configuring Nullqueue on Splunk for Windows

steelwool
New Member
‎12-06-2010 04:54 PM

I'm needing to filter certain syslog events before indexing to stay below our license limit. These syslog events are from a Cisco ASA and I know the source subnet to be filtered. Routing to the nullqueue sounds like the option I need to use but I just don't see how to do it on Splunk for Windows.

Sorry for the newby question but can anyone assist?

Thanks!!!!

Tags (1)
0 Karma
Reply

dshakespeare_sp
Splunk Employee
Splunk Employee
‎02-03-2012 04:45 AM

Philippz

Can you try placing the transforms.conf and props.conf in the app directory is where sourcetype=cisco_asa is configured.

I am guessing this will be $SPLUNK_HOME/etc/apps/Splunk_CiscoFirewalls/local

All should be well

0 Karma
Reply

philippz
New Member
‎12-08-2011 12:31 AM

Steelwool, did you find a solution for your issue?

I followed the guide mentioned by ziegfried and created the files:

C:\Program Files\Splunk\etc\system\local\props.conf

[cisco_asa]
TRANSFORMS-null= setnull

I also tried :

[source::udp:2000]
TRANSFORMS-null= setnull

I use the Cisco Security Suite App, thus the syslog port moved to 2000 for coexistence with the standard syslog service.

C:\Program Files\Splunk\etc\system\local\ransforms.conf

[setnull]
REGEX = (ASA-6-302014|ASA-6-302013|ASA-6-302016|ASA-6-302015)
DEST_KEY = queue
FORMAT = nullQueue

I have no idea what I should try next 😕 Please help!

0 Karma
Reply

ziegfried
Influencer
‎12-06-2010 05:47 PM

You just have to create those files (props.conf and transforms.conf) in $SPLUNK_HOME/etc/system/local. Follow this guide: http://www.splunk.com/base/Documentation/4.1.6/Admin/Routeandfilterdata

Reply

steelwool
New Member
‎12-06-2010 05:09 PM

Sorry, meant to add that I expected to find the profs and transforms config files in the HOME/etc/system/local directory to edit them but they were not there.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...