Stworzyć pliki props.conf oraz transforms.conf.
props.conf
[source::.../var/log/secure]
TRANSFORMS-null = setnull
transforms.conf
[setnull]
REGEX = \sJAKIS_REGEX\s
DEST_KEY = queue
FORMAT = nullQueue
Restart splunk: /opt/splunk/bin/splunk restart
