I am trying to filter Windows:Security:Events: 5145. I created the props.conf and the transforms.conf file listed below. I have it in a app called all_indexers which gets push to all indexers. The props.conf and the transforms.conf files are in the /all_indexers/local/ directory on each of the indexers. Some thing is amiss, but I can't seem to find it.
Contents of the transforms.conf
[nullFilter-5145]
REGEX=(EventCode=5145)
DEST_KEY=queue
FORMAT=nullQueue
Contents of the props.conf
[source::WinEventLog:Security]
TRANSFORMS-nullQ=nullFilter-5145
in props.conf try stanza as
[source::*:Security]
in transforms you might have to change REGEX as
REGEX = (EventCode)=(5145)
I made the changes to transforms.conf and props.conf. These conf files are in $SPLUNKHOME/etc/apps/all_indexers/local.
Should these files be in $SPLUNKHOME/etc/system/local/ on each of the indexers instead?
This should be actually done within the Windows TA's local directory and then deployed to all Index servers. The location on the index server should be $SPLUNKHOME/etc/apps/{Windows_TA_NAME}/local.
If you have deployment server, then use that to deploy.