Scenario:
Multiple WinHosts forwarding logs to separate Linux indexers using Splunk Forwarders.
Objective:
The ability to transform WinEvents using transforms.conf and props.conf
Situation:
Transforming data from local sources, such as syslog works without error. Transforming the forwarded events is not working. I am wondering if I need to specify the forwarded data in inputs.conf?
Here is a good example of filtering security events (in case you want to keep some of them).
Just remember the order is important - send to nullQueue first:
http://answers.splunk.com/answers/29218/filtering-windows-event-logs
Filtering windows events is a very common practice. It does work - I do it myself.
But, there are a number of things that can go wrong.
What exactly is the sourcetype? Where are you placing the configs, which files, and what are the configs?
Why do you think there is something wrong with the forwarded data - windows security logs are standard, but they can come from at least two different sources.
Did you restart Splunk on the indexer after you made the changes?
Lastly, you do know that these changes will not affect logs already indexed right?
This is not working either.
Well, if you want to be rid of all WinEventLog:Security
, it's probably better to not monitor them in the first place. Other than that, it could be done like;
props.conf
[WinEventLog:Security]
TRANSFORMS-blah = discard
transforms.conf
[discard]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
This is not working for you?
/K
No, that is not working for me. I think it has something to do with the events being forwarded.
Version = 5.0.2
What version of splunk are you using?
Yes, I should have been more specific. I am transforming on the indexer. I want to be able to transform any parts of the events. To send all WinEventLog:Security to the null queue for example.
What parts of the events do you want transform, and why?
In any case, you do know that the props/transforms settings should be configured on the indexer, right?
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
/k