Splunk Search

Exclusion Not Working In Transforms.Conf File

itsomana
Path Finder

I have four Windows 2008 R2 servers each running a Splunk Univerisal Forwarder. On the Splunk server in the transforms.Conf file which resides in C:\Program Files\Splunk\etc\system\local I have the following configuration:

[FilterSecurityEvents]
REGEX = (?m)EventCode=(5156)
DEST_KEY = queue
FORMAT = nullQueue

In the props.conf file which also resides in C:\Program Files\Splunk\etc\system\local I have the following entry:

[WinEventLog:Security]
TRANSFORMS-Filter_Events = FilterSecurityEvents

I am trying to stop EventCode 5156 being indexed, however this event code is still being index by Splunk. Does anyone have any idea as to why this is happening?

From browsing other splunkbase posts I have noticed that I am missing in the string ^ Should my entry be: REGEX = (?m)^EventCode=(5156)

Tags (1)

erstexas
Path Finder

Was anybody ever able to get this working?

0 Karma

tgow
Splunk Employee
Splunk Employee

You cannot filter events into the nullqueue on a Universal Forwarder. You will need to move the props.conf and transforms.conf onto the Indexer. Try this and the data should be sent to the nullqueue before it is indexed.

tgow
Splunk Employee
Splunk Employee

The Windows Event Codes can be tricky sometimes with the filtering.

I am wondering if the paratheses on the REGEX could be causing a problem and adding an anchor, ie:

[FilterSecurityEvents]
REGEX = (?m)^EventCode=5156
DEST_KEY = queue
FORMAT = nullQueue
0 Karma

itsomana
Path Finder

I have put in ^ into the Regex field REGEX = (?m)^EventCode=5156 then restarted splunk, however splunk was still logging Event Code 5156.

I then took the brackets from around (5156) then restarted splunk, however still no luck

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...