Hi,
I want to filter out all Successful NULL user logins from the Windows Security logs by using transforms.conf to send to the nullQueue before indexing.
In the Search app, the lines are displayed as:
...
Type=Audit Success
User=NULL
...
But I am not sure how to create the regex to handle both lines even though the lines come after one another. All the regex testers I have tried have not been helpful.
I ended up figuring it out eventually, with some added features:
(?m)Type=Audit\sSuccess(\s+.*\s+){6}Account\sName:\s+(USERNAME1|USERNAME2)
I ended up figuring it out eventually, with some added features:
(?m)Type=Audit\sSuccess(\s+.*\s+){6}Account\sName:\s+(USERNAME1|USERNAME2)
By default, Splunk should extract those fields with it's automatic field extraction. For any key=value, Splunk is pretty friendly. To optimize a search that finds all of these:
Assuming each event contains both of these lines, here is the search:
Audit Success NULL | search User=NULL Type="Audit Success"
OR
User=NULL Type="Audit Success"
To filter these events from your results, you want to negate the terms:
NOT User=NULL NOT Type="Audit Success"
But that's my whole point. I need to know what the regex is ...
Sounds like you want to do conditional routing to the nullqueue for specific events. The following thread explains how to route to nullqueue (won't get indexed). You want to modify the regex to recognize your specific events:
http://splunk-base.splunk.com/answers/11102/can-i-devnull-a-sourcetype
I'm afraid I was not clear. I want to filter them out before indexing, so I need to configure transforms.conf. That's the regex I need to figure out.