I have an old environment (5.0) and new environment (6.2.1). I have heavy forwarders in the new environment collecting the data and forwarding to both environments. I have to keep some of the data flowing to the old environment, but I can cut off most of it to save on my license if possible. I have tried to drop the events on the old indexers, but it is not working and I think it is because it is already went through the queues on the forwarders, so it skips them on the indexers. See the "Caveats for routing and filtering structured data" http://docs.splunk.com/Documentation/Splunk/6.2.1/Forwarding/Routeandfilterdatad here.
Below is my setup. Any thoughts on how I can accomplish this one?
Heavy Forwarders: outputs.conf
[tcpout]
defaultGroup - prod, new
forwardedindex.filter.disable = true
[tcpout:prod]
server = server1:9997,server2:9997
autoLB = true
[tcpout:new]
server = server3:9997,server4:9997
autoLB = true
I have tried this on the indexer (server1) with no such luck. I have also tried to place this in the /etc/system/local directory and tried to use the source instead of the sourcetype. I have restarted splunk but still no luck.
props.conf
[cisco:asa]
TRANSFORMS-set = drop_event
transforms.conf
[drop_event]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
Any help is much appreciated.
↧