https://community.splunk.com/t5/Getting-Data-In/Windows-Event-filtering-on-Heavy-Forwarder/m-p/565682#M100628 <P>&nbsp;</P><P>I was finally able to filter with this stanza</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunkcol_0-1630592863922.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/15818i5A5084B0985B9FF5/image-size/large?v=v2&amp;px=999" role="button" title="splunkcol_0-1630592863922.png" alt="splunkcol_0-1630592863922.png" /></span></P><P>note: omit the bracket that is missing at the beginning</P> Thu, 02 Sep 2021 14:30:33 GMT splunkcol 2021-09-02T14:30:33Z https://community.splunk.com/t5/Getting-Data-In/Windows-Event-filtering-on-Heavy-Forwarder/m-p/550305#M91391 <P>I am ingesting 100 windows machines and the events that are affecting my license consumption the most are 5156,5157,5158, 4658,4663, 4656, 4690.</P><P>I don't really know if I should filter them or if I can get out some correlation event that is valuable.</P><P>I have already filtered the first 2 according to Splunk documentation.</P><P>But my client doesn't want me to filter the EventCode if not the "Application Name"</P><P>What I see differently is that "EventCode" is pasted and "Aplication Name" has a blank space and I don't know how I should put the regular expression if I want to filter only by "Aplication name"</P><P>&nbsp;</P><P>for example<BR />Application Name: \device\harddiskvolume2\windows\system32\svchost.exe</P><PRE><STRONG>props.conf</STRONG><BR />[WinEventLog:Security] TRANSFORMS-wmi=wminull<BR /><BR /></PRE><PRE><STRONG>transforms.conf</STRONG><BR />[wminull] REGEX=(?m)^EventCode=(592|593) DEST_KEY=queue FORMAT=nullQueue</PRE><P><A href="https://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad" target="_blank">https://docs.splunk.com/Documentation/Splunk/6.6.2/Forwarding/Routeandfilterdatad</A></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunkcol_0-1620085893580.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14024i4DE744460F498999/image-size/large?v=v2&amp;px=999" role="button" title="splunkcol_0-1620085893580.png" alt="splunkcol_0-1620085893580.png" /></span></P><P>&nbsp;</P> Tue, 04 May 2021 00:14:50 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Event-filtering-on-Heavy-Forwarder/m-p/550305#M91391 splunkcol 2021-05-04T00:14:50Z https://community.splunk.com/t5/Getting-Data-In/Windows-Event-filtering-on-Heavy-Forwarder/m-p/550743#M91441 <P>&nbsp;</P><P>I was able to achieve filtering like this</P><PRE><STRONG>transforms.conf</STRONG><BR />[wminull] REGEX=(<SPAN>svchost.exe</SPAN>) DEST_KEY=queue FORMAT=nullQueue</PRE><P>&nbsp;</P> Fri, 07 May 2021 01:39:24 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Event-filtering-on-Heavy-Forwarder/m-p/550743#M91441 splunkcol 2021-05-07T01:39:24Z https://community.splunk.com/t5/Getting-Data-In/Windows-Event-filtering-on-Heavy-Forwarder/m-p/565682#M100628 <P>&nbsp;</P><P>I was finally able to filter with this stanza</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunkcol_0-1630592863922.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/15818i5A5084B0985B9FF5/image-size/large?v=v2&amp;px=999" role="button" title="splunkcol_0-1630592863922.png" alt="splunkcol_0-1630592863922.png" /></span></P><P>note: omit the bracket that is missing at the beginning</P> Thu, 02 Sep 2021 14:30:33 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Event-filtering-on-Heavy-Forwarder/m-p/565682#M100628 splunkcol 2021-09-02T14:30:33Z