<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to send noisy windows event to null? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-send-noisy-windows-event-to-null/m-p/631914#M108293</link>
    <description>&lt;P&gt;If the event is multi-line then &lt;FONT face="courier new,courier"&gt;.+&lt;/FONT&gt; may not match newlines.&amp;nbsp; Try this alternative.&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;REGEX = (&amp;lt;EventID&amp;gt;13&amp;lt;\/EventID&amp;gt;)[\s\S]+Bookmark&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Wed, 22 Feb 2023 20:17:58 GMT</pubDate>
    <dc:creator>richgalloway</dc:creator>
    <dc:date>2023-02-22T20:17:58Z</dc:date>
    <item>
      <title>How to send noisy windows event to null?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-send-noisy-windows-event-to-null/m-p/631895#M108291</link>
      <description>&lt;P&gt;I have tried the following to send the included windows event to null but it does not work&lt;/P&gt;
&lt;P&gt;I have tried the props.conf and transform.conf in system\local and apps\"appname"\local&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;U&gt;raw event:&lt;/U&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;&amp;lt;Event xmlns='&lt;A href="http://schemas.microsoft.com/win/2004/08/events/event" target="_blank" rel="noopener"&gt;http://schemas.microsoft.com/win/2004/08/events/event&lt;/A&gt;'&amp;gt;&amp;lt;System&amp;gt;&amp;lt;Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'/&amp;gt;&amp;lt;EventID&amp;gt;13&amp;lt;/EventID&amp;gt;&amp;lt;Version&amp;gt;2&amp;lt;/Version&amp;gt;&amp;lt;Level&amp;gt;4&amp;lt;/Level&amp;gt;&amp;lt;Task&amp;gt;13&amp;lt;/Task&amp;gt;&amp;lt;Opcode&amp;gt;0&amp;lt;/Opcode&amp;gt;&amp;lt;Keywords&amp;gt;0x8000000000000000&amp;lt;/Keywords&amp;gt;&amp;lt;TimeCreated SystemTime='2023-02-22T16:39:16.083750800Z'/&amp;gt;&amp;lt;EventRecordID&amp;gt;18650882160&amp;lt;/EventRecordID&amp;gt;&amp;lt;Correlation/&amp;gt;&amp;lt;Execution ProcessID='2496' ThreadID='3780'/&amp;gt;&amp;lt;Channel&amp;gt;Microsoft-Windows-Sysmon/Operational&amp;lt;/Channel&amp;gt;&amp;lt;Computer&amp;gt;site-wec.site.lan&amp;lt;/Computer&amp;gt;&amp;lt;Security UserID='S-1-5-18'/&amp;gt;&amp;lt;/System&amp;gt;&amp;lt;EventData&amp;gt;&amp;lt;Data Name='RuleName'&amp;gt;-&amp;lt;/Data&amp;gt;&amp;lt;Data Name='EventType'&amp;gt;SetValue&amp;lt;/Data&amp;gt;&amp;lt;Data Name='UtcTime'&amp;gt;2023-02-22 16:39:16.081&amp;lt;/Data&amp;gt;&amp;lt;Data Name='ProcessGuid'&amp;gt;{4bf925e4-0d0b-63e5-4100-000000002000}&amp;lt;/Data&amp;gt;&amp;lt;Data Name='ProcessId'&amp;gt;2688&amp;lt;/Data&amp;gt;&amp;lt;Data Name='Image'&amp;gt;C:\Windows\system32\svchost.exe&amp;lt;/Data&amp;gt;&amp;lt;Data Name='TargetObject'&amp;gt;HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions\Sysmon\EventSources\site-wec.site.lan\Bookmark&amp;lt;/Data&amp;gt;&amp;lt;Data Name='Details'&amp;gt;&amp;amp;lt;BookmarkList&amp;amp;gt;&amp;amp;lt;Bookmark Channel="Microsoft-Windows-Sysmon/Operational" RecordId="18650811531" IsCurrent="true"/&amp;amp;gt;&amp;amp;lt;/BookmarkList&amp;amp;gt;&amp;lt;/Data&amp;gt;&amp;lt;Data Name='User'&amp;gt;NT AUTHORITY\NETWORK SERVICE&amp;lt;/Data&amp;gt;&amp;lt;/EventData&amp;gt;&amp;lt;/Event&amp;gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;U&gt;&lt;STRONG&gt;props.conf&lt;/STRONG&gt;&lt;/U&gt;&lt;/P&gt;
&lt;P&gt;[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational&lt;BR /&gt;TRANSFORMS-sysmon13Bookmark = sysmon13-Bookmark&lt;/P&gt;
&lt;P&gt;&lt;U&gt;&lt;STRONG&gt;transforms.conf&lt;/STRONG&gt;&lt;/U&gt;&lt;/P&gt;
&lt;P&gt;[sysmon13-Bookmark]&lt;BR /&gt;REGEX = (&amp;lt;EventID&amp;gt;13&amp;lt;\/EventID&amp;gt;).+Bookmark&lt;BR /&gt;DEST_KEY = queue&lt;BR /&gt;FORMAT = nullQueue&lt;/P&gt;</description>
      <pubDate>Wed, 22 Feb 2023 18:16:28 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-send-noisy-windows-event-to-null/m-p/631895#M108291</guid>
      <dc:creator>dford77</dc:creator>
      <dc:date>2023-02-22T18:16:28Z</dc:date>
    </item>
    <item>
      <title>Re: How to send noisy windows event to null?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-send-noisy-windows-event-to-null/m-p/631911#M108292</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254150"&gt;@dford77&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The config pretty much looks correct (maybe a copy paste error in props.conf).&amp;nbsp; Maybe you configured it on the Splunk universal forwarder agent, which would be incorrect.&lt;BR /&gt;&lt;BR /&gt;This configuration needs to live in the event parsing tier of the Splunk servers,&amp;nbsp; typically a&amp;nbsp; heavy forwarder or indexer, or maybe a standalone Splunk instance, depending on your set up.&lt;/P&gt;&lt;P&gt;&lt;U&gt;&lt;STRONG&gt;props.conf&lt;/STRONG&gt;&lt;/U&gt;&lt;/P&gt;&lt;PRE&gt;&lt;SPAN&gt;# double check the sourcetype used below is correct in the event&lt;BR /&gt;[XmlWinEventLog:Microsoft-Windows-Sysmon/Operational]&lt;BR /&gt;&lt;/SPAN&gt;TRANSFORMS-sysmon13Bookmark = sysmon13-Bookmark&lt;/PRE&gt;&lt;P&gt;&lt;U&gt;&lt;STRONG&gt;transforms.conf&lt;/STRONG&gt;&lt;/U&gt;&lt;/P&gt;&lt;PRE&gt;[sysmon13-Bookmark]&lt;BR /&gt;REGEX = &amp;lt;EventID&amp;gt;13&amp;lt;\/EventID&amp;gt;.+Bookmark&lt;BR /&gt;DEST_KEY = queue&lt;BR /&gt;FORMAT = nullQueue&lt;/PRE&gt;&lt;P&gt;To ensure the config is picked up a restart of the Splunk instance (hopefully you have a test environment) may be needed.&lt;BR /&gt;&lt;BR /&gt;Hope this helps&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 22 Feb 2023 20:10:43 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-send-noisy-windows-event-to-null/m-p/631911#M108292</guid>
      <dc:creator>yeahnah</dc:creator>
      <dc:date>2023-02-22T20:10:43Z</dc:date>
    </item>
    <item>
      <title>Re: How to send noisy windows event to null?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-send-noisy-windows-event-to-null/m-p/631914#M108293</link>
      <description>&lt;P&gt;If the event is multi-line then &lt;FONT face="courier new,courier"&gt;.+&lt;/FONT&gt; may not match newlines.&amp;nbsp; Try this alternative.&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;REGEX = (&amp;lt;EventID&amp;gt;13&amp;lt;\/EventID&amp;gt;)[\s\S]+Bookmark&lt;/LI-CODE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 22 Feb 2023 20:17:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-send-noisy-windows-event-to-null/m-p/631914#M108293</guid>
      <dc:creator>richgalloway</dc:creator>
      <dc:date>2023-02-22T20:17:58Z</dc:date>
    </item>
  </channel>
</rss>

