Splunk Search

Filter Input data from universalforwarder port_9514

mayler
Path Finder

First, thanks for taking the time to look at this. Hopefully I'll be able to provide all the information you need to help me out.

I have several extremely chatty windows servers (AD 2008) with a universal forwarder installed (4.3.1 build 119532). They're forwarding windows events to my Splunk Server(same version and build) over tcp 9514. So the Splunk Server is configured to receive on tcp_9514.

in /etc/system/local/props.conf
[default]
TRANSFORMS-wmi=wminull

in /etc/system/local/transforms.conf

[wminull]
REGEX=(?msi)^EventCode=(4768|4776|4769|4932|4933|5152|5158|4634|4672|5156|4662|4624|7036|5145|5140)
DEST_KEY=queue
FORMAT=nullQueue

The problem is I'm still indexing events mentioned in the regex. This configuration worked in our test environment. I'm not sure where to start troubleshooting this. I think it's all configured correctly.

metrics.log (one host)

INFO Metrics - group=tcpin_connections, 10.1.57.202:49328:9514, connectionType=cooked, sourcePort=49328, sourceHost=10.1.57.202, sourceIp=10.1.57.202, destPort=9514, _tcp_Bps=51043.12, _tcp_KBps=49.85, _tcp_avg_thruput=364.65, kb=1463.47, _tcp_Kprocessed=35517.31, _tcp_eps=36.85, build=119532, version=4.3.1, os=Windows, arch=x64, hostname=dccoslo2, guid=526275C8-DEC9-4F06-BD7B-30EFB3158043, fwdType=uf, ssl=false, lastIndexer=10.1.57.198:9514, ack=false

0 Karma

mayler
Path Finder

Unfortunately, there is no answer to the issue I experienced.

Removed my splunk install completely and re-installed the latest version as a fresh install. I only kept my transforms and props.conf files. Everything else is brand new.

And the filter is working. I suspect Ayn was on the right track. Something in my configuration was not right. Thanks for the help!

0 Karma

Ayn
Legend

Just one thought - did you make sure that your transform identifier (the "wmi" part in "TRANSFORMS-wmi") isn't duplicated anywhere? These identifiers need to be unique, so if they're not that will cause undefined behaviour.

mayler
Path Finder

I searched again, this time at /etc/* but still no joy. I really thought that might have been it this time! 🙂 So we all agree the syntax, etc. is good. And this did work in our test environment. But the test environment was brand new. I think I'll just backup my .conf files and install fresh. I'll update.

0 Karma

Ayn
Legend

Note that there are other paths than etc/system that props.conf can reside in. For instance all apps in etc/apps.

0 Karma

mayler
Path Finder

thank you for the suggestion. I grep -irn TRANSFORMS-wmi /opt/splunk/etc/system/*

only shows the one entry in /local/props.conf

0 Karma

mwhite_splunk
Splunk Employee
Splunk Employee

mayler
Path Finder

thank you for pointing that out. I tried using that earlier but no luck.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...