https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174210#M35071 <P>Yes, I should have been more specific. I am transforming on the indexer. I want to be able to transform any parts of the events. To send all WinEventLog:Security to the null queue for example.</P> Tue, 10 Dec 2013 19:47:33 GMT jwarfel 2013-12-10T19:47:33Z https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174208#M35069 <P>Scenario:<BR /> Multiple WinHosts forwarding logs to separate Linux indexers using Splunk Forwarders.</P> <P>Objective:<BR /> The ability to transform WinEvents using transforms.conf and props.conf</P> <P>Situation:<BR /> Transforming data from local sources, such as syslog works without error. Transforming the forwarded events is not working. I am wondering if I need to specify the forwarded data in inputs.conf?</P> Tue, 10 Dec 2013 18:57:10 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174208#M35069 jwarfel 2013-12-10T18:57:10Z https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174209#M35070 <P>What parts of the events do you want transform, and why?</P> <P>In any case, you do know that the props/transforms settings should be configured on the indexer, right?</P> <P><A href="http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings">http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings</A></P> <P>/k</P> Tue, 10 Dec 2013 19:27:23 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174209#M35070 kristian_kolb 2013-12-10T19:27:23Z https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174210#M35071 <P>Yes, I should have been more specific. I am transforming on the indexer. I want to be able to transform any parts of the events. To send all WinEventLog:Security to the null queue for example.</P> Tue, 10 Dec 2013 19:47:33 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174210#M35071 jwarfel 2013-12-10T19:47:33Z https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174211#M35072 <P>What version of splunk are you using?</P> Tue, 10 Dec 2013 20:03:25 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174211#M35072 lukejadamec 2013-12-10T20:03:25Z https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174212#M35073 <P>Version = 5.0.2</P> Tue, 10 Dec 2013 20:06:01 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174212#M35073 jwarfel 2013-12-10T20:06:01Z https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174213#M35074 <P>Well, if you want to be rid of all <CODE>WinEventLog:Security</CODE>, it's probably better to not monitor them in the first place. Other than that, it could be done like;</P> <P>props.conf</P> <PRE><CODE>[WinEventLog:Security] TRANSFORMS-blah = discard </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[discard] REGEX = . DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>This is not working for you?</P> <P>/K</P> Tue, 10 Dec 2013 20:41:57 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174213#M35074 kristian_kolb 2013-12-10T20:41:57Z https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174214#M35075 <P>Here is a good example of filtering security events (in case you want to keep some of them).<BR /> Just remember the order is important - send to nullQueue first:</P> <P><A href="http://answers.splunk.com/answers/29218/filtering-windows-event-logs">http://answers.splunk.com/answers/29218/filtering-windows-event-logs</A></P> Tue, 10 Dec 2013 21:00:04 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174214#M35075 lukejadamec 2013-12-10T21:00:04Z https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174215#M35076 <P>No, that is not working for me. I think it has something to do with the events being forwarded.</P> Tue, 10 Dec 2013 21:02:46 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174215#M35076 jwarfel 2013-12-10T21:02:46Z https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174216#M35077 <P>This is not working either.</P> Tue, 10 Dec 2013 22:20:15 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174216#M35077 jwarfel 2013-12-10T22:20:15Z https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174217#M35078 <P>Filtering windows events is a very common practice. It does work - I do it myself.<BR /> But, there are a number of things that can go wrong.<BR /> What exactly is the sourcetype? Where are you placing the configs, which files, and what are the configs?<BR /> Why do you think there is something wrong with the forwarded data - windows security logs are standard, but they can come from at least two different sources.<BR /> Did you restart Splunk on the indexer after you made the changes?<BR /> Lastly, you do know that these changes will not affect logs already indexed right?</P> Tue, 10 Dec 2013 22:57:06 GMT https://community.splunk.com/t5/Getting-Data-In/Transforming-Frowarded-WinEvents/m-p/174217#M35078 lukejadamec 2013-12-10T22:57:06Z