hi, i have several universal forwarders deployed, and im getting lots of events i want to filter out.
I understand from reading answers here i need to do this on the indexer (or else install heavy forwaders on my endpoints, which i dont want to do).
This is a raw entry that im trying to drop / filter out from my indexer (ie to keep it from using up lots of my license):
02/13/2020 10:19:09.016
event_status="(0)The operation completed successfully."
pid=1216
process_image="c:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
registry_type="CreateKey"
key_path="HKLM\system\controlset001\services\tcpip\parameters"
data_type="REG_NONE"
data=""
This is the entry from the inputs.conf on the forwarders that is sending some of the events i want to filter out:
[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
And i have added these lines on my indexer (and restarted), but im still seeing the events come in:
#on props.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\props.conf):
[WinRegMon://default]
TRANSFORMS-set= setnull
#on transforms.conf ( located in: C:\Program #Files\Splunk\etc\users\admin\search\local\transforms.conf):
[setnull]
REGEX = process_image=.+vmtoolsd.exe"
DEST_KEY = queue
FORMAT = nullQueue
Thanks!
(ive been referencing many answers, including this good one):
(h)ttps:// answers.splunk.com/answers/37423/how-to-configure-a-forwarder-to-filter-and-send-the-specific-events-i-want.html
This might help you!
https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad
transforms.conf
[setnull]
REGEX = (?s).*process_image.*vmtoolsd\.exe.*
DEST_KEY = queue
FORMAT = nullQueue
REGEX captures all.
Stanza name in props.conf should be source::<source*>* or sourcetype. Set sourcetype attribute in inputs.conf and use same as stanza in props.conf. You can also put props.conf and transforms.conf on universal forwarders.
inputs.conf
[WinRegMon://default]
disabled = 0
hive = .*
proc = .*
type = rename|set|delete|create
sourcetype = winregmonitor
props.conf
[winregmonitor]
TRANSFORMS-set= setnull
after making the changes, did you do any of the following:
- run the search:
| extract reload=T
OR
- http[s]://[splunkWebHostname]:[splunkWebPort]/debug/refresh
OR
- restart splunk -- /opt/splunk/bin/splunk restart?
and then validate ?
You should put these under ...\etc\apps\local or ...\etc\system\local instead of under user\admin if you want use those on indexing time.
Ismo