I have a props.conf and transforms.conf configured to filter out some events and send to null Q.
I have tested the configuration on a standalone server and get the required results that the events are filtered.
However if i then apply the config to my heavy forwarder:
created app in \splunk\etc\apps\Splunk_TA_NukeEvents
Copy props and transforms to local directory and restart\refresh
Events still come through to cloud.
What am i missing ?
gratzi
↧