topic Re: Filter WinEventLog in Getting Data In

Filter WinEventLog

mildorp — Mon, 28 Sep 2020 14:14:59 GMT

Hi, i need of the filter for Windows Logs, in Splunk Web, ok....more i need in inputs in each machine.
TaskCategory="Logon" OR "logoff" Logon_Type="2" OR Logon_Type="3" OR Logon_Type="10" OR Logon_Type="11"

thanks..

Re: Filter WinEventLog

Jon_Webster — Mon, 28 Sep 2020 14:15:04 GMT

I'm not sure what you're asking for. I tried the search below on our system and it works fine:

index="main" (TaskCategory="Logon" OR TaskCategory="logoff") (Logon_Type="2" OR Logon_Type="3" OR Logon_Type="10" OR Logon_Type="11")

Are you getting the events you want?

Note that your search: TaskCategory="Logon" OR "logoff" will get any events that contain the work "logoff", even if they are not in the TaskCategory field.

You might want to use (TaskCategory="Logon" OR TaskCategory="logoff")

Re: Filter WinEventLog

mildorp — Thu, 04 Jul 2013 11:55:43 GMT

Thanks...
I need to use this filter in transforms.conf and propos.conf the file, however it's not working.

Re: Filter WinEventLog

mildorp — Thu, 04 Jul 2013 11:56:15 GMT

Thanks...
I need to use this filter in transforms.conf and propos.conf the file, however it's not working.

Re: Filter WinEventLog

yannK — Tue, 31 Dec 2013 21:15:57 GMT

The props/transforms only apply when the events are parsed, so only on the indexers (or heavy forwarders)
It will not work in the universal or lightweight forwarders.