just to add some context, here is an example of both props and transforms settings to route the events to Null:

props.conf

[opsec]
TRANSFORMS = null

transforms.conf

[null]
REGEX=service=80
DEST_KEY = queue
FORMAT = nullQueue

sowings: Yes, I restarted Splunk after the change. I have Splunk (enterprise) with Enterprise Security (this is the main Splunk indexer). It's Linux server and the Checkpoint (OPSEC LEA) is not being forwarded from another system. The Splunk Linux indexer has the OPSECLEA TA installed to received the Checkpoint data.

Thanks

Did you restart your indexer after making this change?

Can you tell me what kind of Splunk you have installed on the box that is collecting the checkpoint data? Is it the same as the indexer, or some other system?

Sure, here are my current props and transforms stanzas that are now in the global home-etc-system-local directory:

PROPS.CONF

[opsec]
TRANSFORMS-null = setnullopsec

TRANSFORMS.CONF

[setnullopsec]
REGEX="service=80"
DEST_KEY=queue
FORMAT=nullQueue

Thanks again for your help.

Can you repost your current props and transforms stanzas?

Unfortunately it's still not working. I modified my props stanza to [opsec] and used the simple REGEX="service=80". I have also modified the props.conf and transforms.conf in the global directory instead of the app directory and not working either. I'm all out of ideas on this... might need to call for Splunk support.

sowings: Thanks very much for all of this information. I have removed (?m) from my REGEX and I'm now testing this REGEX in my transforms:

[setnull]
REGEX="service=80"

I'll use the | anchor to limit to "80" once I get "service=80" to work (trying to keep it simple at first).

I did test my regex in regexpal.com and also in the search UI before modifying it in transforms. But I wasn't using the "regex_raw" command before (I was just typing "service=80" etc. into the UI search) so thanks for that tip.

I'll test again this morning and let you know if it works.
Thanks!

Ok, I have "moved" the nullQueue from the APP-local directory to the home-etc-system-local directory and still not working...

lukejadamec: thanks for the explanation, that makes sense. I'll test it at the global level today.

kristian: i have changed my props stanza to [opsec]. I'll let you know if it works after rebooting and testing.

I have another nullQueue (that works) setup for my Windows WMI data. It is also using: TRANSFORMS-null = setnull. Is it OK that it has the same name (setnull) or should I change this nullQueue name to setnull-opsec?

Thanks!

echojaques: if the sourcetype is opsec then the stanza in props.conf should be;

[opsec]
TRANSFORMS-null = setnull

Doing it in etc/system/local just ensures that the setting will have the highest priority and will always be active, regardelss of whether you enable/disable certain apps.

/K

Global stanzas should go at the top (best practice), correct stanzas work where they belong.
Kristian gave you the quick answer to this document: http://docs.splunk.com/Documentation/Splunk/4.3.4/Admin/Wheretofindtheconfigurationfiles
Which basically says that index time activity happens first at the global level, which is controlled first by the etc/system/local configuration files.

I had to disable the app since I was getting close to exceeding my license due to this problem.

Will try again tomorrow.

Using sourcetype::opsec instead did not work...

Also, not sure if it matters, but I have the stanzas at the top/beginning of my props.conf and transforms.conf files.

kristian,

So I will modify my props.conf to use the sourcetype like this:

[sourcetype::opsec]
 TRANSFORMS-null=setnull

I will reboot and let you know if it works. Also, I thought I had to make the changes in the APP directory??

Use your sourcetype instead of the source in props.conf, if possible.

and yes, do it in local, not in default. Just to ensure that it is going to happen, make the changes to props/transforms in $SPLUNK_HOME/etc/system/local

Oh, and the opsec source is actually the OPSEC LEA add-on.