I have a brand new Splunk 5 installation I am trying to get working with some filtering.
Right now I have one remote event log I am pulling into Splunk. It is the Security log of a Domain Controller. I am trying to only index EventCodes 566 & 632 for now. Ultimately I will setup different props and transforms depending on the source and what I am trying to filter. But for now I would like to get these two event codes working.
So I have a props.conf file that looks like this:
[WMI:WinEventLog:Security]
TRANSFORM-evtLog = wmi-null,wmi-filter
And my transforms.conf file looks like this:
[wmi-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[wmi-filter]
REGEX = (?msi)^EventCode=(566|632)
DEST_KEY = queue
FORMAT = main
I have tried changing the Regex around in several different ways, but no matter what I try, nothing makes it to my index. If I remove the Null rule, I get everything from the log, so I know it is working, just not with the filter.
Any help would be greatly appreciated.
... View more