https://community.splunk.com/t5/Getting-Data-In/Discard-Windows-Events-and-keep-the-rest/m-p/16852#M2069 <P>Not sure if anything yet but tried shifting the configuration to the forwarder itself now as mine seems to be a heavy forwarder.</P> <P>Found this link to be useful: <A href="http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F" rel="nofollow">Where do I configure my Splunk settings?</A></P> <P>Seems ok but am monitoring it.If it works, it solves my problem of filtering out event codes on one server but not another as well..</P> Mon, 05 Jul 2010 15:42:31 GMT apro 2010-07-05T15:42:31Z https://community.splunk.com/t5/Getting-Data-In/Discard-Windows-Events-and-keep-the-rest/m-p/16851#M2068 <P>Hi,</P> <P>Had installed splunk on serverA and serverB and configured both as a forwarder to forward wineventlogs to splunk indexer.</P> <P>I will like to filter out certain events(eg.540) and I tried doing this on the splunk indexer itself: </P> <P><CODE>/opt/splunk/etc/system/local/props.conf<BR /> [WinEventLog:Security]<BR /> TRANSFORMS-null = setnull</CODE> </P> <P><CODE>/opt/splunk/etc/system/local/transforms.conf<BR /> [setnull]<BR /> REGEX = (?m)^EventCode=540<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue </CODE> </P> <P>Apparently it still doesn't work after doing a search the events are still shown:<BR /> host="serverA" EventCode=540 </P> <P>1) How do I filter out event code 540? Should it be done on the forwarder itself or splunk indexer?</P> <P>2) How do I filter out event code 540, only on serverA and not serverB?</P> <P>Thanks.</P> Mon, 05 Jul 2010 11:09:27 GMT https://community.splunk.com/t5/Getting-Data-In/Discard-Windows-Events-and-keep-the-rest/m-p/16851#M2068 apro 2010-07-05T11:09:27Z https://community.splunk.com/t5/Getting-Data-In/Discard-Windows-Events-and-keep-the-rest/m-p/16852#M2069 <P>Not sure if anything yet but tried shifting the configuration to the forwarder itself now as mine seems to be a heavy forwarder.</P> <P>Found this link to be useful: <A href="http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F" rel="nofollow">Where do I configure my Splunk settings?</A></P> <P>Seems ok but am monitoring it.If it works, it solves my problem of filtering out event codes on one server but not another as well..</P> Mon, 05 Jul 2010 15:42:31 GMT https://community.splunk.com/t5/Getting-Data-In/Discard-Windows-Events-and-keep-the-rest/m-p/16852#M2069 apro 2010-07-05T15:42:31Z https://community.splunk.com/t5/Getting-Data-In/Discard-Windows-Events-and-keep-the-rest/m-p/16853#M2070 <P>Did this ever start working for you?</P> Tue, 24 Aug 2010 03:50:38 GMT https://community.splunk.com/t5/Getting-Data-In/Discard-Windows-Events-and-keep-the-rest/m-p/16853#M2070 aaronzabell 2010-08-24T03:50:38Z https://community.splunk.com/t5/Getting-Data-In/Discard-Windows-Events-and-keep-the-rest/m-p/16854#M2071 <P>I've had the same problem. I can filter perfmon this way. I have a mix of heavy/universal forwarders and don't want to implement the filter on every windows heavy forwarder individually.</P> Fri, 12 Jul 2013 12:31:42 GMT https://community.splunk.com/t5/Getting-Data-In/Discard-Windows-Events-and-keep-the-rest/m-p/16854#M2071 mgh4 2013-07-12T12:31:42Z