<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Audit logs added to Windows security events in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Audit-logs-added-to-Windows-security-events/m-p/73907#M15124</link>
    <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;In some cases it seems Splunk adds this kind of info to some winsec events:&lt;/P&gt;

&lt;P&gt;Audit:[timestamp=04-03-2011 04:13:13.169, user=splunk-system-user, action=search, info=granted , search_id='scheduler_&lt;EM&gt;nobody&lt;/EM&gt;_search_SW5kZXhpbmcgd29ya2xvYWQ_at_1301796000_1747808923', search='search  index=_internal (source=&lt;EM&gt;/metrics.log&lt;/EM&gt; OR source=&lt;EM&gt;\metrics.log&lt;/EM&gt;) group=per_sourcetype_thruput | timechart span=10m per_second(kb) by series', autojoin='1', buckets=0, ttl=1800, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 03:55:00 2011', apiEndTime='Sun Apr 03 03:55:00 2011', savedsearch_name="Indexing workload"][n/a]
Audit:[timestamp=04-03-2011 04:13:14.919, user=splunk-system-user, action=search, info=granted , search_id='scheduler_&lt;EM&gt;nobody&lt;/EM&gt;_windows_Q1BVIFV0aWxpemF0aW9uIFN1bW1hcnk_at_1301796240_858207800', search='search  source="wmi:cputime" | stats avg(PercentProcessorTime) as avgCPUTime,avg(PercentUserTime) as avgUserTime | eval avgCPUTime=round(avgCPUTime,1) | eval avgUserTime=round(avgUserTime,1)', autojoin='1', buckets=0, ttl=14400, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 04:04:00 2011', apiEndTime='Sun Apr 03 04:04:00 2011', savedsearch_name="CPU Utilization Summary"][n/a]
Audit:[timestamp=04-03-2011 04:13:16.700, user=splunk-system-user, action=search, info=granted , search_id='scheduler_&lt;EM&gt;nobody&lt;/EM&gt;_search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1301796600_1636259345', search='search  index=_internal (source=&lt;EM&gt;/metrics.log&lt;/EM&gt; OR source=&lt;EM&gt;\metrics.log&lt;/EM&gt;) group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb) | head 5', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 04:10:00 2011', apiEndTime='Sun Apr 03 04:10:00 2011', savedsearch_name="Top five sourcetypes"][n/a]&lt;/P&gt;

&lt;P&gt;Any idea how we can get rid of this?&lt;/P&gt;</description>
    <pubDate>Mon, 04 Apr 2011 14:49:57 GMT</pubDate>
    <dc:creator>johandk</dc:creator>
    <dc:date>2011-04-04T14:49:57Z</dc:date>
    <item>
      <title>Audit logs added to Windows security events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Audit-logs-added-to-Windows-security-events/m-p/73907#M15124</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;In some cases it seems Splunk adds this kind of info to some winsec events:&lt;/P&gt;

&lt;P&gt;Audit:[timestamp=04-03-2011 04:13:13.169, user=splunk-system-user, action=search, info=granted , search_id='scheduler_&lt;EM&gt;nobody&lt;/EM&gt;_search_SW5kZXhpbmcgd29ya2xvYWQ_at_1301796000_1747808923', search='search  index=_internal (source=&lt;EM&gt;/metrics.log&lt;/EM&gt; OR source=&lt;EM&gt;\metrics.log&lt;/EM&gt;) group=per_sourcetype_thruput | timechart span=10m per_second(kb) by series', autojoin='1', buckets=0, ttl=1800, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 03:55:00 2011', apiEndTime='Sun Apr 03 03:55:00 2011', savedsearch_name="Indexing workload"][n/a]
Audit:[timestamp=04-03-2011 04:13:14.919, user=splunk-system-user, action=search, info=granted , search_id='scheduler_&lt;EM&gt;nobody&lt;/EM&gt;_windows_Q1BVIFV0aWxpemF0aW9uIFN1bW1hcnk_at_1301796240_858207800', search='search  source="wmi:cputime" | stats avg(PercentProcessorTime) as avgCPUTime,avg(PercentUserTime) as avgUserTime | eval avgCPUTime=round(avgCPUTime,1) | eval avgUserTime=round(avgUserTime,1)', autojoin='1', buckets=0, ttl=14400, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 04:04:00 2011', apiEndTime='Sun Apr 03 04:04:00 2011', savedsearch_name="CPU Utilization Summary"][n/a]
Audit:[timestamp=04-03-2011 04:13:16.700, user=splunk-system-user, action=search, info=granted , search_id='scheduler_&lt;EM&gt;nobody&lt;/EM&gt;_search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1301796600_1636259345', search='search  index=_internal (source=&lt;EM&gt;/metrics.log&lt;/EM&gt; OR source=&lt;EM&gt;\metrics.log&lt;/EM&gt;) group=per_sourcetype_thruput | chart sum(kb) by series | sort -sum(kb) | head 5', autojoin='1', buckets=0, ttl=600, max_count=500000, maxtime=0, enable_lookups='1', extra_fields='', apiStartTime='Sat Apr 02 04:10:00 2011', apiEndTime='Sun Apr 03 04:10:00 2011', savedsearch_name="Top five sourcetypes"][n/a]&lt;/P&gt;

&lt;P&gt;Any idea how we can get rid of this?&lt;/P&gt;</description>
      <pubDate>Mon, 04 Apr 2011 14:49:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Audit-logs-added-to-Windows-security-events/m-p/73907#M15124</guid>
      <dc:creator>johandk</dc:creator>
      <dc:date>2011-04-04T14:49:57Z</dc:date>
    </item>
    <item>
      <title>Re: Audit logs added to Windows security events</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Audit-logs-added-to-Windows-security-events/m-p/73908#M15125</link>
      <description>&lt;P&gt;You will probably want to route those events to the null queue. This means that you will want to configure Splunk to take specific events such as what you have posted, and it will not index these events. &lt;/P&gt;

&lt;P&gt;Here is another answer link that is similar:&lt;/P&gt;

&lt;P&gt;&lt;A href="http://answers.splunk.com/questions/11617/route-unwanted-logs-to-a-null-queue" rel="nofollow"&gt;http://answers.splunk.com/questions/11617/route-unwanted-logs-to-a-null-queue&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;Also, the Splunk documentation contains some great examples to get you started with filtering events out that you do not want.&lt;/P&gt;

&lt;P&gt;&lt;A href="http://www.splunk.com/base/Documentation/4.2/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest" rel="nofollow"&gt;http://www.splunk.com/base/Documentation/4.2/Deploy/Routeandfilterdatad#Discard_specific_events_and_keep_the_rest&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 04 Apr 2011 17:26:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Audit-logs-added-to-Windows-security-events/m-p/73908#M15125</guid>
      <dc:creator>Rob</dc:creator>
      <dc:date>2011-04-04T17:26:51Z</dc:date>
    </item>
  </channel>
</rss>

