https://community.splunk.com/t5/Getting-Data-In/discard-not-needed-events/m-p/82505#M17095 <P>Hi,<BR /> I am new to splunk, I only want to forward specific events to splunk (for example: failures)and discard the rest.In the props.conf file<BR /> I added these lines below<BR /> [WMI:WinEventLog:Security]<BR /> TRANSFORMS-wmi=wminull</P> <P>and in the transforms.conf file, I added those lines<BR /> [wminull]<BR /> REGEX=(?m)^Keywords = Audit Success<BR /> DEST_KEY=queue<BR /> FORMAT=nullQueue</P> <P>the indexer is still receiving the Audit Success logs, would you please let me know what I am doing wrong?</P> <P>thanks,.</P> Tue, 02 Jul 2013 19:39:36 GMT Clovens 2013-07-02T19:39:36Z https://community.splunk.com/t5/Getting-Data-In/discard-not-needed-events/m-p/82505#M17095 <P>Hi,<BR /> I am new to splunk, I only want to forward specific events to splunk (for example: failures)and discard the rest.In the props.conf file<BR /> I added these lines below<BR /> [WMI:WinEventLog:Security]<BR /> TRANSFORMS-wmi=wminull</P> <P>and in the transforms.conf file, I added those lines<BR /> [wminull]<BR /> REGEX=(?m)^Keywords = Audit Success<BR /> DEST_KEY=queue<BR /> FORMAT=nullQueue</P> <P>the indexer is still receiving the Audit Success logs, would you please let me know what I am doing wrong?</P> <P>thanks,.</P> Tue, 02 Jul 2013 19:39:36 GMT https://community.splunk.com/t5/Getting-Data-In/discard-not-needed-events/m-p/82505#M17095 Clovens 2013-07-02T19:39:36Z https://community.splunk.com/t5/Getting-Data-In/discard-not-needed-events/m-p/82506#M17096 <P>Two possible causes to this:<BR /> - You're trying to do this on a Universal Forwarder. These will not filter data - it has to be done on the indexer.<BR /> - Your regex isn't matching properly.</P> Tue, 02 Jul 2013 20:25:06 GMT https://community.splunk.com/t5/Getting-Data-In/discard-not-needed-events/m-p/82506#M17096 Ayn 2013-07-02T20:25:06Z https://community.splunk.com/t5/Getting-Data-In/discard-not-needed-events/m-p/82507#M17097 <P>Clovens,</P> <P>Another possibility is that that beginning of line character may not actually be there. Try it with just Audit Success and see what happens.</P> <P>Also, the things that Ayn mentioned. Make sure those are correct first.</P> Wed, 03 Jul 2013 02:59:20 GMT https://community.splunk.com/t5/Getting-Data-In/discard-not-needed-events/m-p/82507#M17097 mloven_splunk 2013-07-03T02:59:20Z https://community.splunk.com/t5/Getting-Data-In/discard-not-needed-events/m-p/82508#M17098 <P>I made the changes but the indexer is still collecting the data,<BR /> I even tried using the eventype but that didn't work either.</P> <P>[EventType]<BR /> REGEX=(?m)Type=Information<BR /> DEST_KEY=queue<BR /> FORMAT=nullQueue</P> <P>below is one of the events that I want to discard</P> <P>LogName=Security<BR /> SourceName=Microsoft Windows securityauditing.<BR /> EventCode=5156<BR /> EventType=0<BR /> Type=Information<BR /> ComputerName=Computer.domain.inc<BR /> TaskCategory=Filtering Platform Connection<BR /> OpCode=Info<BR /> RecordNumber=711139664<BR /> Keywords=Audit Success<BR /> Message=The Windows Filtering Platform has allowed a connection.</P> <P>would you please take a look, thanks.</P> Mon, 08 Jul 2013 17:01:11 GMT https://community.splunk.com/t5/Getting-Data-In/discard-not-needed-events/m-p/82508#M17098 Clovens 2013-07-08T17:01:11Z