Getting Data In

Splunk Filter on Windows

JPValadas
Explorer

Hello there,

I´m Portuguese and i´m trying to learn how to filter windows data but i do not know.
Example: if i want only check a service or who log in my machine how i block all the other information?

In a enterprise the 500 mgs free will expire in only 5 min.

In the next example how can i say that i want or that i do not want to index with information?
I have to create a props.conf?
If i gotta create where i gotta create that file? splunk? c:program files splunk etc?
Is by CLI?
Is on Dos command line?
Is ON "manager"?

LogName=SystemSourceName=Microsoft-Windows-Service Control ManagerEventCode=7036EventType=4Type=InformationComputerName=teste-PCTaskCategory=The operation completed successfully.OpCode=The operation completed successfully.RecordNumber=27001

Many Thanks
JV

Tags (2)
0 Karma

eegilbert
Explorer

I've found that it's helpful to have a Regular Expression cheat sheet handy when doing this type of work. There is a really snazzy tool that the people (maybe person) at gskinner have built:
http://gskinner.com/RegExr/

It's a Flash application that will allow you to test any number of Regular Expressions on given text. There is even a standalone one written in AIR which is nice if you're traveling and not near a net connection.

I'm still trying to get the hang of the transforms and props, however it seems to me that the title of the stanzas are up to the user as long as they are consistent. (please, some one who knows better confirm this)

(?m) optionally matches m and (?msi) optionally matches msi

Also, the props.conf spec document is available at:

http://docs.splunk.com/Documentation/Splunk/5.0.1/admin/Propsconf

0 Karma

JPValadas
Explorer

Thank you for the answer.

I solved this way,

props.conf

[WinEventLog:Application]
TRANSFORMS-wmi = setnull

transforms.conf

[setnull]
REGEX =(?msi)^EventCode=(4101)
DEST_KEY=queue
FORMAT = nullQueue

Can you tell me what is the diference between REGEX = (?m) and (?msi)? and the diference between winnull and setnull i do not know neither but i got it working.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

You've made a mistake in your implementation, specifically in your props.conf entry by calling a sourcetype field that doesn't match the sourcetype field assigned to the events, causing a miss. It should look like this, based on what I've seen of your configuration:

[WinEventLog:Application]
TRANSFORMS-wmi=wminull

Your transform looks fine to me, I don't think it should be changed.

JPValadas
Explorer

why i got -1 in a question?

0 Karma

JPValadas
Explorer

Good morning,

i have my conf files like this, saved in a new text file.
See please.

http://imageshack.us/photo/my-images/407/transforms.png/
http://imageshack.us/photo/my-images/525/props.png/

The source field is Application is correct because in windows the system logon come to splunk in source field "application)

tell me one thing, i gotta put this two files props and transform in forwarder or in indexer? Forwarder Windows 7, Indexer is Centos Linux (i got it, it is in forwarder)
And the files i can create like a txt file? (Ok i tried and i got it, yes a text file)
And should save like txt file? (Yes)

By the way i´m trying to exclude this.

"
04/05/2012 12:26:51 PM
LogName=ApplicationSourceName=Microsoft-Windows-Winlogon
EventCode=4101
EventType=4
Type=Information
ComputerName=joaovaladas-PC
TaskCategory=None
OpCode=None
RecordNumber=189997
Keywords=Classic
Message=Windows license validated.

sourcetype=WinEventLog:Application Options|

source=WinEventLog:Application Options
"

Many Thanks

JV

0 Karma

JPValadas
Explorer

Ok, i have something that looks like that.

I have copied my props.conf and transforms.conf from C:\Program Files\Splunk\etc\system\default to C:\Program Files\Splunk\etc\system\local

i should create new ones?

in the end i have written this:
props.conf

[WMI:WinEventLog:Application]
TRANSFORMS-wmi=wminull

saved and in transform.conf i have written this:

[wminull]
REGEX=(?m)^EventCode=(4101)
DEST_KEY=queue
FORMAT=nullQueue

The number 4101 its the Event number to when you make a LOGON.
I Saved in Indexer but when i got to "Search" i still receive that log.

Why can you tell me?

Many Thanks.
JV

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

In props.conf, you're telling Splunk you want it to act on the sourcetype field with the stanza you've used. That means that the sourcetype field must match exactly what you've got in props. Can you confirm that 'WMI:WinEventLog:Application' is exactly what you see in the sourcetype field for one of these events? If no, you should change it to whatever you see there exactly.

0 Karma

kristian_kolb
Ultra Champion

I answered something similar just recently;

http://splunk-base.splunk.com//answers/44352/how-to-only-forward-windows-security-logs

It's rather long with lots of comments, but if you know how to get data into the indexer, you will probably understand it. That particular example deals with Security logs, but you could change that to System, if those are the events you want.

You create your props.conf and transforms.conf with a normal text editor.

In props.conf you should create a stanza with the same name as your sourcetype, in this case something like [WinEventLog:Application], but you have to make sure that you have the correct one.

There you will need to reference a transforms.conf stanza like this:
in props.conf

[WinEventLog:Application]
TRANSFORMS-blahbaha = windelete, winkeep

in transforms.conf you need to create two stanzas - windelete and winkeep, and under each you will need to form a regex, and what to do with matching events;

in transforms.conf

[windelete]
REGEX = (?m).
DEST_KEY = queue
FORMAT = nullQueue

[winkeep]
REGEX = (?m)^EventCode=(4104|9999|666)
DEST_KEY = queue
FORMAT = indexQueue

This will result in only keeping events that match EventCode=4104 or EventCode=9999 or EventCode=666.

Hope this helps,

Kristian

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...