Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Exclusion Not Working In Transforms.Conf File

itsomana
Path Finder
‎11-10-2011 06:45 AM

I have four Windows 2008 R2 servers each running a Splunk Univerisal Forwarder. On the Splunk server in the transforms.Conf file which resides in C:\Program Files\Splunk\etc\system\local I have the following configuration:

[FilterSecurityEvents]
REGEX = (?m)EventCode=(5156)
DEST_KEY = queue
FORMAT = nullQueue

In the props.conf file which also resides in C:\Program Files\Splunk\etc\system\local I have the following entry:

[WinEventLog:Security]
TRANSFORMS-Filter_Events = FilterSecurityEvents

I am trying to stop EventCode 5156 being indexed, however this event code is still being index by Splunk. Does anyone have any idea as to why this is happening?

From browsing other splunkbase posts I have noticed that I am missing in the string ^ Should my entry be: REGEX = (?m)^EventCode=(5156)

Tags (1)
Reply

erstexas
Path Finder
‎06-18-2013 10:54 AM

Was anybody ever able to get this working?

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-11-2011 10:48 AM

You cannot filter events into the nullqueue on a Universal Forwarder. You will need to move the props.conf and transforms.conf onto the Indexer. Try this and the data should be sent to the nullqueue before it is indexed.

Reply

tgow
Splunk Employee
Splunk Employee
‎11-10-2011 10:04 AM

The Windows Event Codes can be tricky sometimes with the filtering.

I am wondering if the paratheses on the REGEX could be causing a problem and adding an anchor, ie:

[FilterSecurityEvents]
REGEX = (?m)^EventCode=5156
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply

itsomana
Path Finder
‎11-11-2011 05:33 AM

I have put in ^ into the Regex field REGEX = (?m)^EventCode=5156 then restarted splunk, however splunk was still logging Event Code 5156.

I then took the brackets from around (5156) then restarted splunk, however still no luck

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...