https://community.splunk.com/t5/Getting-Data-In/Windows-Events-filtering/m-p/89284#M18519 <P>Hi All,</P> <P>Trying to filter on Win Sec events, dropping events that don't have particular eventids and Account Name contains $ (computer accounts)<BR /> Currently I have something like this in my transforms.conf:</P> <PRE><CODE>[eventsallowed] ... = (?m)^EventCode=(4624|4625).Account Name:^((?!\$).)*$ </CODE></PRE> <P>this doesn't work. Dropping the Account Name: ... forwards the events correctly. The reg also seems to be fine for the account name, so not sure what i'm doing wrong.<BR /> Any ideas?</P> <P>Thanks,<BR /> Luca</P> Sat, 13 Oct 2012 19:01:09 GMT only4luca 2012-10-13T19:01:09Z https://community.splunk.com/t5/Getting-Data-In/Windows-Events-filtering/m-p/89284#M18519 <P>Hi All,</P> <P>Trying to filter on Win Sec events, dropping events that don't have particular eventids and Account Name contains $ (computer accounts)<BR /> Currently I have something like this in my transforms.conf:</P> <PRE><CODE>[eventsallowed] ... = (?m)^EventCode=(4624|4625).Account Name:^((?!\$).)*$ </CODE></PRE> <P>this doesn't work. Dropping the Account Name: ... forwards the events correctly. The reg also seems to be fine for the account name, so not sure what i'm doing wrong.<BR /> Any ideas?</P> <P>Thanks,<BR /> Luca</P> Sat, 13 Oct 2012 19:01:09 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Events-filtering/m-p/89284#M18519 only4luca 2012-10-13T19:01:09Z https://community.splunk.com/t5/Getting-Data-In/Windows-Events-filtering/m-p/89285#M18520 <P>have you tried with <CODE>(?msi)</CODE> instead of <CODE>(?m)</CODE> ?</P> Sun, 14 Oct 2012 18:40:51 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Events-filtering/m-p/89285#M18520 MarioM 2012-10-14T18:40:51Z https://community.splunk.com/t5/Getting-Data-In/Windows-Events-filtering/m-p/89286#M18521 <P>Did you end up figuring out what the issue was? I am working on the same task and have been bashing my head against it for a little while now...</P> Wed, 30 Jan 2013 22:29:29 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Events-filtering/m-p/89286#M18521 Lord_Middleton 2013-01-30T22:29:29Z https://community.splunk.com/t5/Getting-Data-In/Windows-Events-filtering/m-p/89287#M18522 <P>If you're trying to do this on a Universal Forwarder, that won't work. Filtering can only be performed on Splunk instances that perform parsing (basically, most instances except Universal Forwarders).</P> Wed, 30 Jan 2013 22:45:19 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Events-filtering/m-p/89287#M18522 Ayn 2013-01-30T22:45:19Z https://community.splunk.com/t5/Getting-Data-In/Windows-Events-filtering/m-p/89288#M18523 <P>Nope- trying to get it running on the main Splunk instance- sorry for the delay... been busy on other projects.</P> Fri, 22 Feb 2013 19:45:27 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Events-filtering/m-p/89288#M18523 Lord_Middleton 2013-02-22T19:45:27Z