I'm trying to exclude event type "4674" from showing up in my Splunk Indexer. I'm using in Heavy Forwarder. I was making changes in the props.conf and transform.conf files in the Local file folder as opposed to the Default file folder.
I'm using a Heavy Forwarder on a Windows 7 32-bit VMWare box.
Here's my coding:
[WMI:WinEventLog:Security]
TRANSFORMS-set=setnull
[setnull] REGEX =(?msi)^EventCode = (4674).*^Type=Success Audit DEST_KEY=queue FORMAT=nullQueue
When I check my indexer, event code 4674 still appears.
I think you are close to what you want to but there is one (maybe more) error. One error was the spaces that you had in the regex, also specifying ".*^Type=Success Audit" in the regex is unnecessary. I also modified the sourcetype name in the props.conf stanza (are you actually collecting the logs via WMI?)
Try this:
props.conf changes
[WinEventLog:Security]
TRANSFORMS-set=setnull
transforms.conf changes
[setnull]
REGEX=(?mi)^EventCode=(4674)
DEST_KEY=queue
FORMAT=nullQueue
Also, be sure to put these configs in the props/transforms on the heavy forwarder and not the indexer.