https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116378#M24286 <P>Hi Martin, Thanks for your reply.</P> <P>I checked all you wrote and it's not the issue.</P> <P>Am I using the right regex to filler out this event and have Splunk not index it?</P> <P>Thanks</P> Sun, 12 Jul 2015 18:51:02 GMT Rotema 2015-07-12T18:51:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116376#M24284 <P>Hi,</P> <P>I'm trying to filter out specific windows event log that's Id=0 <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <P>This is the event:</P> <PRE><CODE>ERROR 2015-07-12 13:11:31,270 There is no security-data for the current context.. Occured in method:"Register", in process:"w3wp" </CODE></PRE> <P>Stack trace:</P> <PRE><CODE> at iFOREX.Security.Context.SecurityDataProvider.AssertExists() in d:\BuildAreas\RelFxnet3\FX3-81\Source\iFOREX Framework\iFOREX.Security\iFOREX.Security\Context\SecurityDataProvider.cs:line 26 at iFOREX.Clients.Web.Classes.AppGlobal.get_SecurityToken() in d:\BuildAreas\RelFxnet3\FX3-81\Source\iFOREX Framework\IFOREX.Clients\iFOREX.Clients.Web\BaseClasses\AppGlobal.cs:line 212 at iFOREX.Clients.Web.Common.Utils.SecurityHelper.CheckSecurity(String checkSecurityParam, HttpSessionState session) in d:\BuildAreas\RelFxnet3\FX3-81\Source\iFOREX Framework\IFOREX.Clients\iFOREX.Clients.Web\Common\Utils\SecurityHelper.cs:line 55 at iFOREX.Clients.Web.Common.Utils.SecurityHelper.CheckSecurity(HttpContext context) in d:\BuildAreas\RelFxnet3\FX3-81\Source\iFOREX Framework\IFOREX.Clients\iFOREX.Clients.Web\Common\Utils\SecurityHelper.cs:line 42 at iFOREX.Clients.Web.Handlers.ClientState.OnProcessRequest(HttpContext context) in d:\BuildAreas\RelFxnet3\FX3-81\Source\iFOREX Framework\IFOREX.Clients\iFOREX.Clients.Web\Handlers\ClientState\ClientState.ashx.cs:line 64 </CODE></PRE> <P>What I tried: </P> <P>props.conf:</P> <PRE><CODE>[WMI:Applications] TRANSFORMS-wmi=wminull1 </CODE></PRE> <P>transforms.conf:</P> <PRE><CODE>[wminull1] REGEX = There is no security-data for the current context DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> <P>But I can't seem to make it work and have Splunk not index this event. </P> <P>Can anyone please help?</P> <P>Thanks</P> Sun, 12 Jul 2015 13:21:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116376#M24284 Rotema 2015-07-12T13:21:12Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116377#M24285 <P>Make sure that...</P> <UL> <LI>your sourcetype matches <CODE>WMI:Applications</CODE> exactly</LI> <LI>you set this on the indexers or heavy forwarders</LI> <LI>you restart the instances you set this on</LI> <LI>there are no configuration errors during restart</LI> <LI>you're looking at newly indexed data and not old data</LI> </UL> Sun, 12 Jul 2015 14:27:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116377#M24285 martin_mueller 2015-07-12T14:27:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116378#M24286 <P>Hi Martin, Thanks for your reply.</P> <P>I checked all you wrote and it's not the issue.</P> <P>Am I using the right regex to filler out this event and have Splunk not index it?</P> <P>Thanks</P> Sun, 12 Jul 2015 18:51:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116378#M24286 Rotema 2015-07-12T18:51:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116379#M24287 <P>My guess is that you have extra whitespace which you are not noticing; have you tested your RegEx against actual log messages? If you can't/won't, then try this and see if it works:</P> <PRE><CODE>REGEX = There\s+is\s+no\s+security\s*-\s*data\s+for\s+the\s+current\s+context </CODE></PRE> <P>Bad RegEx is the only thing that makes sense if you are certain that you have checked everything else already mentioned.</P> Mon, 13 Jul 2015 01:28:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116379#M24287 woodcock 2015-07-13T01:28:22Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116380#M24288 <P>Hi,<BR /> if I use the regex There\s+is\s+no\s+security\s*-\s*data\s+for\s+the\s+current\s+context on the search line it works but if not on the transforms.conf</P> <P>Thanks,</P> Tue, 29 Sep 2020 06:39:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116380#M24288 Rotema 2020-09-29T06:39:59Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116381#M24289 <P>Hi,<BR /> if I use the regex There\s+is\s+no\s+security\s*-\s*data\s+for\s+the\s+current\s+context on the search line it works but if not on the transforms.conf</P> <P>Thanks,</P> Tue, 29 Sep 2020 06:40:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116381#M24289 Rotema 2020-09-29T06:40:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116382#M24290 <P>Does your original RegEx work in the search bar, too? Where exactly did you put your <CODE>props.conf</CODE> and <CODE>transforms.conf</CODE> files? Did you spell the filenames correctly?</P> Mon, 13 Jul 2015 14:19:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116382#M24290 woodcock 2015-07-13T14:19:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116383#M24291 <P>Hi,</P> <P>I haven't tried it with the original regex just with this one: There\s+is\s+no\s+security\s*-\s*data\s+for\s+the\s+current\s+context</P> <P>So in the search line, if I enter: sourcetype="WMI:WinEventLog:Applications" | regex There\s+is\s+no\s+security\s*-\s*data\s+for\s+the\s+current\s+context</P> <P>It seems to work and I do see the events</P> <P>Now, want i want to filter them out and have Splunk not index them, i use:<BR /> Props.conf:<BR /> [WMI:WinEventLog:Applications]<BR /> TRANSFORMS-wmi = WinSecEvents-null</P> <P>Transforms.conf:<BR /> [WinSecEvents-null]<BR /> REGEX = There\s+is\s+no\s+security\s*-\s*data\s+for\s+the\s+current\s+context<BR /> DEST_KEY=queue<BR /> FORMAT=nullQueue</P> <P>And these doesn't seems to work. no matter what, Splunk keep indexing them and i See new entries.</P> <P>thanks,</P> Tue, 29 Sep 2020 06:40:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116383#M24291 Rotema 2020-09-29T06:40:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116384#M24292 <P>Hi,<BR /> The issue was solved by using the following regex:<BR /> REGEX = (?ms)There is no security-data for the current context</P> <P>Thanks for the help.</P> Thu, 16 Jul 2015 07:19:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116384#M24292 Rotema 2015-07-16T07:19:41Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116385#M24293 <P>Ah, the text was split across multiple lines inside a multi-line event. That explains it.</P> Thu, 16 Jul 2015 13:21:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-out-Windows-events-logs-based-on-words/m-p/116385#M24293 woodcock 2015-07-16T13:21:36Z