Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

nullQueue for Windows event codes not working

ebailey
Communicator
‎06-11-2015 07:45 AM

Hello,

I am trying to setup a nullQueue for Windows security events we do not care to index into Splunk and my configuration is not working. I am using the below on the Indexer and restarted Splunk. I do not see any errors and I am not sure how else to troubleshoot the issue. The sourcetype in the props matches the sourcetype of the data. Any feedback is most appreciated.

props.conf

[WinEventLog:Security]
TRANSFORMS-WinEvents=eliminate-eventcodes

transforms.conf

[eliminate-eventcodes]
REGEX = EventCode=(5156|4656|33205|5158|577|578|5157|5145|4769|4768|5145|4634)
DEST_KEY = queue
FORMAT = nullQueue

0 Karma
Reply

masonmorales
Influencer
‎06-11-2015 03:24 PM

Try...

props.conf

[WinEventLog:Security]
TRANSFORMS-DiscardWinEvents = eliminate-eventcodes

transforms.conf

[eliminate-eventcodes]
REGEX = (?m)^EventCode=(5156|4656|33205|5158|577|578|5157|5145|4769|4768|5145|4634)
DEST_KEY = queue
FORMAT = nullQueue

You'll need to restart your indexer again after making the change.

0 Karma
Reply

ebailey
Communicator
‎06-12-2015 07:12 AM

No joy - I made the change and then restarted splunkd. The events are still being indexed. I have other data getting dumped to nullqeueu so this not working is confusing.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-12-2015 04:39 PM

if you are using an Universal/Lightweight forwarder, then the nullQueue props/transforms have to be on the indexers.
But if you re using heavy forwarders (HF), you need to put the props/transforms have to to be on the HF.

otherwise since splunk 5, you can filter evencodes directly on the forwarders in the inputs.con (look for blacklist under WinEventcode)

0 Karma
Reply

ebailey
Communicator
‎06-29-2015 08:35 AM

the settings are on the indexers - I am working with support on the issue - Thanks for the suggestions

0 Karma
Reply

masonmorales
Influencer
‎06-12-2015 07:52 AM

Could email me a ./splunk diag from your forwarder and your indexer? (See e-mail address in my portfolio)

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...