Here is my setup. inputs.conf: [script://./bin/lsof.sh] interval = 600 sourcetype = lsof source = lsof props.conf: [script://./bin/lsof.sh] #also tried[lsof] & [source::lsof] TRANSFORMS-null = null_splunk_user, null_splunk_command, null_splunk, lsof_normal_queue transforms.conf: [null_splunk_user] REGEX = ^\S+\W+\d+\W+splunk\W+ DEST_KEY = queue FORMAT = nullQueue [null_splunk_command] REGEX = ^splunkd\W+\d+\W+splunk DEST_KEY = queue FORMAT = nullQueue [null_splunk] REGEX = ^splunkd DEST_KEY = queue FORMAT = nullQueue [lsof_normal_queue] REGEX = . DEST_KEY = queue FORMAT = indexQueue sample of data: splunkd 52507 splunk cwd DIR 202,1 4096 2 / splunkd 52507 splunk rtd DIR 202,1 4096 2 / splunkd 52507 splunk txt REG 202,1 76073192 409182 /opt/splunk/bin/splunkd python2.7 53347 splunk cwd DIR 202,1 4096 2 / splunk 53347 splunk rtd DIR 202,1 4096 2 / splunk 53347 splunk txt REG 202,1 577688 411002 /opt/splunk/bin/splunk splunkd 887 root cwd DIR 259,1 4096 2 / splunkd 887 root rtd DIR 259,1 4096 2 / splunkd 887 root txt REG 259,1 76073192 401488 /opt/splunk/bin/splunkd On the indexer you can see that the props & transforms rules: /opt/splunk/bin/splunk cmd btool props list --debug | grep lsof /opt/splunk/etc/slave-apps/Splunk_TA_nix/local/props.conf [lsof] /opt/splunk/bin/splunk cmd btool transforms list --debug | grep null_splunk /opt/splunk/etc/slave-apps/Splunk_TA_nix/local/transforms.conf [null_splunk] /opt/splunk/etc/slave-apps/Splunk_TA_nix/local/transforms.conf [null_splunk_command] /opt/splunk/etc/slave-apps/Splunk_TA_nix/local/transforms.conf [null_splunk_user] /opt/splunk/etc/slave-apps/Splunk_TA_nix/local/transforms.conf [lsof_normal_queue] I've tried multiple iterations of regexes/props/transforms. I've been restarting the index clusters after each update to no avail. The majority of the data I'm attempting to drop is on the indexers themselves, splunk monitoring splunk.
... View more