Hi,
As of Splunk 6, my props/transforms to do the above action no longer work. I haven't upgraded the UF on all my clients so the blacklist can't be used yet. Am I missing something? I believe these use to work in 5.0.5.
props.conf
[source::WinEventLog:Security]
TRANSFORMS-security1 = setnull2
[source::WinEventLog:System]
TRANSFORMS-system1 = setnull3
transforms.conf
[setnull2]
REGEX = (?m)^EventCode=(4688|5152|5156|5157)
DEST_KEY = queue
FORMAT = nullQueue
[setnull3]
REGEX = (?m)^EventCode=(28)
DEST_KEY = queue
FORMAT = nullQueue
Lucky for you Splunk 6 changed the game for filtering windows event logs. It is all done in inputs.conf, so there is no need to pass information through props or transforms.
Check out this post:
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
Yeah, I read that too. Unfortunately, not all of my UF have been upgraded to 6.0.1 so I can't do the blacklist just yet. I read somewhere that this may be a bug in 6.x. Thank you for taking the time to post and link.