Splunk Search

How do you filter Windows Event Log?

BunnyHop
Contributor

I've tried to filter native event logs being indexed using the [WinEventLog...] sourcetype. Here are the config:

props.conf

[WinEventLog:Security]
TRANSFORMS-set = delete

transforms.conf

[delete]
REGEX = .*EventCode\=540.*
DEST_KEY = queue
FORMAT = nullQueue

Wondering if this is a bug?!

1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Though you don't actually say, I assume your problem is the events with EventCode 540 are not being dropped and that you want them to be. I do not know of any bugs in this area.

However, if that is what you are trying to do, one problem is that the "EventCode" you are presumably looking for is usually found at the beginning of a line, while the regex in your configuration requires a "." before it. By default, "." does not match line breaks, so your regex will not match what you intend. A regex that does do what you probably want is "(?m)^EventCode=540".

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Though you don't actually say, I assume your problem is the events with EventCode 540 are not being dropped and that you want them to be. I do not know of any bugs in this area.

However, if that is what you are trying to do, one problem is that the "EventCode" you are presumably looking for is usually found at the beginning of a line, while the regex in your configuration requires a "." before it. By default, "." does not match line breaks, so your regex will not match what you intend. A regex that does do what you probably want is "(?m)^EventCode=540".

Lowell
Super Champion

I recommend adding a not-a-digit at the end of that regex. For example: "(?m)^EventCode=540\D" just so you aren't matching some other event code.

BunnyHop
Contributor

Took awhile but I was able to get my exact regex. I did use the (?msi) prefix. Thanks alot!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You should look at the documents for PCRE: http://perldoc.perl.org/perlre.html
You probably want to use the (?msi) prefix on your regex if you want it to work.

BunnyHop
Contributor

That works great! Yes I do want to drop specific events. How do you another condition in the regex? Say with the EventCode, I also want to include all username "Anonymous Logon"? I'm thinking on the regex "(?m)^EventCode=540.*ANONYMOUS LOGON.*Logon Type: 3"

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...