Monitoring Splunk

Windows 2008 event filtering

rriley
New Member

Trying to throw away events not wanted from a server - not working.

props.conf
[WinEventLog:Security]
TRANSFORMS-null = setnull

transform.conf
[setnull]
REGEX = (?m)^EventCode=(4658|4662|4689|4768|4769|4770|4771|4776|4931|4932|4933|4985|5136|5156)\D
DEST_KEY = queue
FORMAT = nullQueue

also tried:
REGEX = (?m)^EventCode=(4658|4662|4689|4768|4769|4770|4771|4776|4931|4932|4933|4985|5136|5156)\b

Any ideas?

Maybe this will be better than a support ticket - that takes forever to get an answer.

Tags (1)
0 Karma

yannK
Splunk Employee
Splunk Employee

Where are those props/transforms applied ?

They have to be where the events are parsed : on the indexer or on heavy forwarders, not on the Universal or Light Forwarders.

0 Karma

rriley
New Member

Sorry this is the config of a full splunk install set to forward. Not a light forwarder.

0 Karma

rriley
New Member

for some reason the (Backslash)\ was omitted when I pasted:

REGEX = (?m)^EventCode=(4658|4662|4689|4768|4769|4770|4771|4776|4931|4932|4933|4985|5136|5156)(backslash)\D

and
REGEX = (?m)^EventCode=(4658|4662|4689|4768|4769|4770|4771|4776|4931|4932|4933|4985|5136|5156)(backslash)\b

0 Karma

Starlette
Contributor

did you try this without the (backslash)D ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...