Getting Data In

Heavy forwarder do not transform

krusty
Contributor

Hi there,

I have a problem with our windows heavy forwarder.
The problem is that the forwarder should transform wmi events from a spezific host.

My props.conf and transform.conf looks like this:



props.conf

[host::*]
TRANSFORMS-events=only_error_warning


transforms.conf

[only_error_warning]
REGEX = (?mi)Type=Audit
DEST_KEY = queue
FORMAT = nullQueue

Do I have a problem with the config or couldn't the heavy forwarder transform the wmi event?

Regards

Tags (1)
0 Karma

lguinn2
Legend

First, your props.conf is not for a specific host, but for all hosts. Or I should say "all hosts that have data collected by this forwarder."
Second, only events that have "type=audit" in the text will be eliminated.
What hosts and events appear in your Splunk indexer? What do you get if you put type=audit in the search box?

0 Karma

krusty
Contributor

Hi lguinn,

thanks for you reply.

That's right. I only want to eliminated all audit events from these forwarder. Should i use any wildcard in the regex to find all audit success or audit failure events?

At the first time i only want to eliminate all audit events from host server1. I had written the props.conf like this [host::server1] but nothing happens. So i use the wildcard to find all hosts. But this also dosen't work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...