https://community.splunk.com/t5/Getting-Data-In/Remove-section-from-windows-2008r2-security-log/m-p/76382#M15590 <P>You might want to consider changing the search for your statistics to not include where Account Name/Domain fields are equal to to a -. </P> <P>The other option is to take a look at using the SEDCMD parameter in your props.conf file and create a sed script to re-write those lines.</P> <P>For example:</P> <PRE><CODE>s/Account\sName:\s+\-//g </CODE></PRE> <P>This would replace the "Account Name: -" line with an empty line.</P> <P>Another option is to use a script (bash, batch, python, powershell, perl, etc.) to clean up the event before it is indexed to remove that particular section.</P> Sat, 27 Oct 2012 00:22:18 GMT Rob 2012-10-27T00:22:18Z https://community.splunk.com/t5/Getting-Data-In/Remove-section-from-windows-2008r2-security-log/m-p/76381#M15589 <P>I'm playing with WinEventLog:Security source, and I found a "-" username that altered my statistics.<BR /> In a generic login log, there is a section with this user, and I'm looking for a way to remove it and clean/normaliza my logs before they'll be indexed.</P> <P>An example:</P> <P><PRE><BR /> 09/15/2011 01:41:18 PM<BR /> LogName=Security<BR /> SourceName=Microsoft Windows security auditing.<BR /> EventCode=4624<BR /> EventType=0<BR /> Type=Information<BR /> ComputerName=DC.domain.local<BR /> TaskCategory=Logon<BR /> OpCode=Info<BR /> RecordNumber=22396221<BR /> Keywords=Audit Success<BR /> Message=An account was successfully logged on.</PRE></P> <P>Subject:<BR /> Security ID: S-1-0-0<BR /> Account Name: -<BR /> Account Domain: -<BR /> Logon ID: 0x0</P> <P>Logon Type: 3</P> <P>New Logon:<BR /> Security ID: S-1-5-21-1759315991-2675907183-3548838191-1129<BR /> Account Name: username<BR /> Account Domain: DOMAIN<BR /> Logon ID: 0x155b3446<BR /> Logon GUID: {FBB0AB00-6A66-14F3-0CF8-6709832A3FB8}</P> <P>Process Information:<BR /> Process ID: 0x0<BR /> Process Name: -</P> <P>Network Information:<BR /> Workstation Name:<BR /> Source Network Address: 10.x.y.z<BR /> Source Port: 50233</P> <P>Detailed Authentication Information:<BR /> Logon Process: Kerberos<BR /> Authentication Package: Kerberos<BR /> Transited Services: -<BR /> Package Name (NTLM only): -<BR /> Key Length: 0<BR /> <CODE></CODE></P> <P>How I can remove the section:</P> <P>Subject:<BR /> Security ID: S-1-0-0<BR /> Account Name: -<BR /> Account Domain: -<BR /> Logon ID: 0x0</P> <P>from my log?</P> <P>Regards<BR /> bizza</P> Thu, 15 Sep 2011 13:18:16 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-section-from-windows-2008r2-security-log/m-p/76381#M15589 bizza 2011-09-15T13:18:16Z https://community.splunk.com/t5/Getting-Data-In/Remove-section-from-windows-2008r2-security-log/m-p/76382#M15590 <P>You might want to consider changing the search for your statistics to not include where Account Name/Domain fields are equal to to a -. </P> <P>The other option is to take a look at using the SEDCMD parameter in your props.conf file and create a sed script to re-write those lines.</P> <P>For example:</P> <PRE><CODE>s/Account\sName:\s+\-//g </CODE></PRE> <P>This would replace the "Account Name: -" line with an empty line.</P> <P>Another option is to use a script (bash, batch, python, powershell, perl, etc.) to clean up the event before it is indexed to remove that particular section.</P> Sat, 27 Oct 2012 00:22:18 GMT https://community.splunk.com/t5/Getting-Data-In/Remove-section-from-windows-2008r2-security-log/m-p/76382#M15590 Rob 2012-10-27T00:22:18Z