https://community.splunk.com/t5/Getting-Data-In/nullQueue-for-Windows-event-codes-not-working/m-p/148570#M30243 <P>the settings are on the indexers - I am working with support on the issue - Thanks for the suggestions</P> Mon, 29 Jun 2015 15:35:28 GMT ebailey 2015-06-29T15:35:28Z https://community.splunk.com/t5/Getting-Data-In/nullQueue-for-Windows-event-codes-not-working/m-p/148565#M30238 <P>Hello,</P> <P>I am trying to setup a nullQueue for Windows security events we do not care to index into Splunk and my configuration is not working. I am using the below on the Indexer and restarted Splunk. I do not see any errors and I am not sure how else to troubleshoot the issue. The sourcetype in the props matches the sourcetype of the data. Any feedback is most appreciated.</P> <P>props.conf</P> <P>[WinEventLog:Security]<BR /> TRANSFORMS-WinEvents=eliminate-eventcodes</P> <P>transforms.conf</P> <P>[eliminate-eventcodes]<BR /> REGEX = EventCode=(5156|4656|33205|5158|577|578|5157|5145|4769|4768|5145|4634)<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> Thu, 11 Jun 2015 14:45:47 GMT https://community.splunk.com/t5/Getting-Data-In/nullQueue-for-Windows-event-codes-not-working/m-p/148565#M30238 ebailey 2015-06-11T14:45:47Z https://community.splunk.com/t5/Getting-Data-In/nullQueue-for-Windows-event-codes-not-working/m-p/148566#M30239 <P>Try...</P> <P>props.conf</P> <PRE><CODE>[WinEventLog:Security] TRANSFORMS-DiscardWinEvents = eliminate-eventcodes </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[eliminate-eventcodes] REGEX = (?m)^EventCode=(5156|4656|33205|5158|577|578|5157|5145|4769|4768|5145|4634) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>You'll need to restart your indexer again after making the change.</P> Thu, 11 Jun 2015 22:24:45 GMT https://community.splunk.com/t5/Getting-Data-In/nullQueue-for-Windows-event-codes-not-working/m-p/148566#M30239 masonmorales 2015-06-11T22:24:45Z https://community.splunk.com/t5/Getting-Data-In/nullQueue-for-Windows-event-codes-not-working/m-p/148567#M30240 <P>No joy - I made the change and then restarted splunkd. The events are still being indexed. I have other data getting dumped to nullqeueu so this not working is confusing.</P> Fri, 12 Jun 2015 14:12:38 GMT https://community.splunk.com/t5/Getting-Data-In/nullQueue-for-Windows-event-codes-not-working/m-p/148567#M30240 ebailey 2015-06-12T14:12:38Z https://community.splunk.com/t5/Getting-Data-In/nullQueue-for-Windows-event-codes-not-working/m-p/148568#M30241 <P>Could email me a ./splunk diag from your forwarder and your indexer? (See e-mail address in my portfolio) </P> Fri, 12 Jun 2015 14:52:29 GMT https://community.splunk.com/t5/Getting-Data-In/nullQueue-for-Windows-event-codes-not-working/m-p/148568#M30241 masonmorales 2015-06-12T14:52:29Z https://community.splunk.com/t5/Getting-Data-In/nullQueue-for-Windows-event-codes-not-working/m-p/148569#M30242 <P>if you are using an Universal/Lightweight forwarder, then the nullQueue props/transforms have to be on the indexers.<BR /> But if you re using heavy forwarders (HF), you need to put the props/transforms have to to be on the HF.</P> <P>otherwise since splunk 5, you can filter evencodes directly on the forwarders in the inputs.con (look for blacklist under WinEventcode)</P> Fri, 12 Jun 2015 23:39:02 GMT https://community.splunk.com/t5/Getting-Data-In/nullQueue-for-Windows-event-codes-not-working/m-p/148569#M30242 yannK 2015-06-12T23:39:02Z https://community.splunk.com/t5/Getting-Data-In/nullQueue-for-Windows-event-codes-not-working/m-p/148570#M30243 <P>the settings are on the indexers - I am working with support on the issue - Thanks for the suggestions</P> Mon, 29 Jun 2015 15:35:28 GMT https://community.splunk.com/t5/Getting-Data-In/nullQueue-for-Windows-event-codes-not-working/m-p/148570#M30243 ebailey 2015-06-29T15:35:28Z