I was able to successfully filter events using the lines below in props.conf and transform.conf. Has anyone filtered using another field of the same event? I want to filter by EventCode and Account_Name. We have one particular account that we expect to generate a high number of these events but we are interested in the others. Is this just a matter of modifying the same REGEX line?
props.conf:
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull
Note: In pre-4.2.x versions of Splunk, you must use [wmi] as the sourcetype in order to send events to nullQueue.
transform.conf
[wminull]
REGEX=(?m)^EventCode=(4662)
DEST_KEY=queue
FORMAT=nullQueue
... View more