From fd804a083d5aa77d45bd5af325bbfea53c7eed4d Mon Sep 17 00:00:00 2001
From: Chris Long <clong@cl0ng.com>
Date: Sat, 28 Mar 2020 02:30:06 -0700
Subject: [PATCH] Fixing the Splunk nullqueue

---
 Vagrant/resources/splunk_server/props.conf | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/Vagrant/resources/splunk_server/props.conf b/Vagrant/resources/splunk_server/props.conf
index 53239a7..fc080c2 100644
--- a/Vagrant/resources/splunk_server/props.conf
+++ b/Vagrant/resources/splunk_server/props.conf
@@ -15,8 +15,10 @@ TRUNCATE = 0
 
 [osquery:json]
 TRANSFORMS-osquery_host = osquery_hostidentifier_as_host
-TRANSFORMS-null = setnull
 TIME_PREFIX = \"unixTime\"\:
 MAX_TIMESTAMP_LOOKAHEAD = 500
 TIME_FORMAT = %s
-TRUNCATE = 0
\ No newline at end of file
+TRUNCATE = 0
+
+[osquery:status]
+TRANSFORMS-null = setnull
\ No newline at end of file