I need to drop "Filtering Platform Connections", I also want to drop most of "Audit File System" events from windows servers. I do not have control over source servers, those only have universal-forwarder. I can only manipulate the indexer-all-in-one Splunk server.
I followed http://docs.splunk.com/Documentation/Splunk/5.0.6/Deploy/Routeandfilterdatad
and some posts on answers and was testing the following:
in ../etc/system/local/
props.conf
[WinEventLog:Security]
TRANSFORMS-wmi = NullEvents-null, WinSecEvents-null
transforms.conf
[NullEvents-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[WinSecEvents-null]
REGEX=(?msi)^EventCode=(5156|104)\D
DEST_KEY = queue
FORMAT = indexQueue
Unfortunately the filtered events still show up.
What I did so far:
/etc/apps/windows/ /etc/apps/Splunk_TA_Windows /splunk/app/Splunk_for_Exchange
as those were the files that ./splunk cmd btool
and grep
came up with, [WMI:WinEventLog:Security] [source::WinEventLog:Security] [source::WMI:WinEventLog:Security] [source::main] [WMI:WinEventLog:Security]
I'm wondering if I'm putting the files in proper place (folder), if I'm using the correct [source] ?
++ I'm on 5.0.6. ++ I'm fresh to Splunk configurations ++ I'm abusing my license as I cant filter the events, so the issue is urgent ++
A few things to help troubleshooting.
1) Put the props and transforms in etc//system//local. This directory has the highest precedence for index time extractions.
2) Use the source as opposed to the sourcetype. Extractions for the source will take precedence over extractions for sourcetype, so if there is a conflict it will only be with source.
3) You should not guess at the source. Run a search on the data and verify the source from the source field, and use it exactly preceded by [source::<yoursourcehere>]
.
4) If you want to keep EventCode=(5156|104)\D
, then why call them null?
5) The transform requires an indexer restart to take effect and will only affect newly indexed logs.
Update: config to drop two event codes and keep everything else.
Have you tried this?
Make sure the source is correct, then in ../etc/system/local/
props.conf
[WinEventLog:Security]
TRANSFORMS-wmi = WinSecEvents-null
transforms.conf
[WinSecEvents-null]
REGEX=(?msi)^EventCode=(5156|104)\D
DEST_KEY = queue
FORMAT = nullQueue
The configs you posted won't do what you want. I know you said you could not edit them, but when you say "I pretty confident this is how it should be" it is kind of confusing - what do you mean by 'this'?
I updated my answer to remove the first nullQueue stanza and changed to indexQueue to nullQueue for the events you want to drop.
I do want to drop those 2 events, thus they go to nullQueue. I'm pretty confident this is how it should be.
I also forgot to mention - splunk is running as a "splunk" user, and yes, all config files are owned by "splunk" user.
If that is the case, then your config is off the mark.
When I want to drop particular Windows events in Splunk 5, I use just one stanza. Try dropping all reference and stanzas to NullEvents-null, and keep only WinSecEvents-null.
My guess is the config you have posted would drop everything except those two events even though you named it -null.
Thanks Luke!
Since I followed the docs and some other posts here and it didn't work for me, thus those try&error steps :]
source
is identical to sourcetype
.nullQueue
. Yes, I want to filter them out, not in.