Getting Data In

How to filter WMI:WinEventLog:Security events based on EventCode and Account_Name?

samuelrey
New Member

I was able to successfully filter events using the lines below in props.conf and transform.conf. Has anyone filtered using another field of the same event? I want to filter by EventCode and Account_Name. We have one particular account that we expect to generate a high number of these events but we are interested in the others. Is this just a matter of modifying the same REGEX line?

props.conf:

[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull

Note: In pre-4.2.x versions of Splunk, you must use [wmi] as the sourcetype in order to send events to nullQueue.

transform.conf

[wminull]
REGEX=(?m)^EventCode=(4662)
DEST_KEY=queue
FORMAT=nullQueue
0 Karma

bandit
Motivator

Yes, when using transforms you can filter on anything you can match with regex. (this happens on your indexers unless you are using heavy forwarders)

Side note: in the scenario that you are only filtering based on the Windows code, see the following article on how to filter Windows codes directly on the Universal Forwarder.
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/

bandit
Motivator

You may want to paste a sample event here if you need help with the regex.

0 Karma

samuelrey
New Member

Thanks for the feedback. I have a REGEX that should work but now it's not filtering any 4662 events so the REGEX is not matching anything in Splunk.

REGEX=(?m)^EventCode=(4662)\n([\s\S]*?)(Account Name:\s+MyADUser)

What am I missing? Anyone?

0 Karma

samuelrey
New Member

Slashes were removed from the REGEX in the last post
(?m)^EventCode=(4662)\n([\s\S]*?)(Account Name:\s+watchguard)

0 Karma

chanamoluk
Explorer

Please help me out how to create REGEX for the below list of event codes in transforms.conf
i want to index only this event code data to SPLUNK Cloud
4768-4777,4820,4720,4722-4735,4737-4767,4780-4794,4797-4799
5328,5348,5349
7837

props.conf
[WinEventLog:Security]
TRANSFORMS=null-queue

transforms.conf
[null-queue]
REGEX=
DEST_KEY=queue
FORMAT=nullQueue

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...