Our main syslog server just forwards everything to Splunk. We have exclusions in syslog for certain applications but we would still like to clean out anything not vital to Splunk. I've attempted to set up the props.conf and transforms.conf appropriately but it doesn't seem to work properly. I moved them to /opt/splunk/etc/system/local instead of editing the default files.
props.conf
[source::udp:514]
TRANSFORMS-drop_hosts = drop_hosts
transforms.conf
[drop_hosts]
SOURCE_KEY = Metadata:Host
REGEX = 192.168.158.131.log
DEST_KEY = queue
FORMAT = nullQueue
I am just testing it with one right now. But when I pull up the Data Summary and look at the host count for that IP it continues to rise.
↧