https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filtering-EventCode/m-p/55778#M10908 <P>BEWARE : On recent versions of the windows app, the sourcetype for windowsevents has changed, so should change the props.conf </P> <UL> <LI>[wmi] in splunk 4.1</LI> <LI>[WMI:WinEventLog:Security] in 4.2</LI> </UL> <P>please try then both, or use them both if you have a mix of forwarder's versions to cover them all.</P> Wed, 29 Jun 2011 19:45:32 GMT yannK 2011-06-29T19:45:32Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filtering-EventCode/m-p/55776#M10906 <P>I have a Splunk central indexer on rhel5.5 and a forwarder (not LWF) on a Server 2008 VM. Currently I am forwarding all of WinEventLog:Security, and want to not index EventCode=566.</P> <P>props.conf</P> <PRE><CODE>[WMI:WinEventLog:Security] TRANSFORMS-null= setnull </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setnull] REGEX ="(?m)^EventCode=566" DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>Currently these files exist in $SPLUNK_HOME/etc/system/local on the indexer, but I am still seeing results for EventCode=566 in search. </P> <P>What am I doing wrong?</P> Wed, 09 Mar 2011 00:01:07 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filtering-EventCode/m-p/55776#M10906 joshrabinowitz 2011-03-09T00:01:07Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filtering-EventCode/m-p/55777#M10907 <P>You shouldn't have the double-quotes (<CODE>"</CODE>) around your REGEX, since they aren't in the data:</P> <PRE><CODE>REGEX = (?m)^EventCode=566 </CODE></PRE> Wed, 09 Mar 2011 01:24:45 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filtering-EventCode/m-p/55777#M10907 gkanapathy 2011-03-09T01:24:45Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filtering-EventCode/m-p/55778#M10908 <P>BEWARE : On recent versions of the windows app, the sourcetype for windowsevents has changed, so should change the props.conf </P> <UL> <LI>[wmi] in splunk 4.1</LI> <LI>[WMI:WinEventLog:Security] in 4.2</LI> </UL> <P>please try then both, or use them both if you have a mix of forwarder's versions to cover them all.</P> Wed, 29 Jun 2011 19:45:32 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filtering-EventCode/m-p/55778#M10908 yannK 2011-06-29T19:45:32Z https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filtering-EventCode/m-p/55779#M10909 <P>UPDATE splunk 6.*<BR /> Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.</P> <P>see <BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf</A></P> <P>example:</P> <P><CODE>[WinEventLog:Security]<BR /> disabled = 0<BR /> blacklist=566,800-850<BR /> </CODE></P> Fri, 25 Oct 2013 23:32:34 GMT https://community.splunk.com/t5/Getting-Data-In/WinEventLog-filtering-EventCode/m-p/55779#M10909 yannK 2013-10-25T23:32:34Z