https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335253#M5002 <P>so this wouldn't work at the HF level ? - i have no access to the splunk cloud indexers.</P> Sat, 03 Jun 2017 23:22:52 GMT Esky73 2017-06-03T23:22:52Z https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335251#M5000 <P>Receiving windows security logs from UF's</P> <P>I have a created an app on my HF and put transforms and props in the local folder as such:</P> <PRE><CODE>[WinEventLog:Security] TRANSFORMS-setNull8 = NukeThumbs.db [NukeThumbs.db] REGEX = (?s).*Thumbs.db(?s).* DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>However i'm still seeing windows eventlogs coming through to my splunk instance like the following:</P> <PRE><CODE>D:\SYSTEM\FFMC\Hireline\FFFG Fireline 2016\Pete Register\201705 May\Thumbs.db </CODE></PRE> Sat, 03 Jun 2017 15:35:02 GMT https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335251#M5000 Esky73 2017-06-03T15:35:02Z https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335252#M5001 <P>Try this:</P> <PRE><CODE>[NukeThumbs.db] REGEX = \\Thumbs\.db(?:[\r\n]+|$) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>Deploy this to your INDEXERS and restart all Splunk instances there. When testing your change, only examine events that were indexed AFTER the restarts (you can use something like <CODE>_index_earliest=-2m</CODE> or similar); older events will stay broken (not deleted).</P> Sat, 03 Jun 2017 15:52:08 GMT https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335252#M5001 woodcock 2017-06-03T15:52:08Z https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335253#M5002 <P>so this wouldn't work at the HF level ? - i have no access to the splunk cloud indexers.</P> Sat, 03 Jun 2017 23:22:52 GMT https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335253#M5002 Esky73 2017-06-03T23:22:52Z https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335254#M5003 <P>Yes, it will work for HF; I should have written <CODE>your parsing servers</CODE> instead of <CODE>Indexers</CODE>.</P> Sat, 03 Jun 2017 23:38:05 GMT https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335254#M5003 woodcock 2017-06-03T23:38:05Z https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335255#M5004 <P>applied to the HF and restarted HF still events being seen.</P> <P>Also added:</P> <P>[Nukesvchost]<BR /> REGEX = \[Ss]vchost.exe(?:[\r\n]+|)<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>which looks right (In regex101.com)</P> <P>however also doesnt stop the events</P> <P>props and transforms are located in :</P> <P>C:\ProgramFiles\Splunk\etc\apps\Splunk_TA_EventNukes\local</P> Tue, 29 Sep 2020 14:22:39 GMT https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335255#M5004 Esky73 2020-09-29T14:22:39Z https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335256#M5005 <P>I have implemented the filtering in inputs.conf on the HF fir now - but still would like to know what could be the issue ..</P> <P>Could it be something to do with the fact the HF's have a 0 byte license - they just forward he data to the cloud.</P> Mon, 05 Jun 2017 01:24:36 GMT https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335256#M5005 Esky73 2017-06-05T01:24:36Z https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335257#M5006 <P>Is it possible that your window event log is in multilines ? You could try to use (?ms) instead of (?s). </P> Tue, 06 Jun 2017 03:53:25 GMT https://community.splunk.com/t5/Splunk-Dev/remove-events-from-Windows-security/m-p/335257#M5006 tlam_splunk 2017-06-06T03:53:25Z