https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-event-logs-from-a-Universal-Forwarder/m-p/22605#M3510 <P>Your question title announces the question is regarding filtering the events on a UF, so...</P> <P>If you want help with the specific details you need to provide us with more information than that it "didn't work" - it's impossible to know exactly what you tried and what the exact result was. General info on event filtering is available here: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> Thu, 02 May 2013 17:37:57 GMT Ayn 2013-05-02T17:37:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-event-logs-from-a-Universal-Forwarder/m-p/22601#M3506 <P>Using 5.0.2. I am receiving Windows Event Logs at the Indexer from Universal Forwarders on Windows servers. I want to filter out or send to a null queue uninteresting Windows events, so I only see Error, Warning and Critical events. </P> <P>I know this needs to be in the props.conf and transforms.conf but can't get it to work.</P> Thu, 02 May 2013 17:28:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-event-logs-from-a-Universal-Forwarder/m-p/22601#M3506 mokeefe 2013-05-02T17:28:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-event-logs-from-a-Universal-Forwarder/m-p/22602#M3507 <P>You cannot filter events on a Universal Forwarder. Event filtering can only occur on Splunk instances that perform parsing, which Universal Forwarder doesn't (and can't) do. You need to either setup filtering on the indexer, or switch to a heavy forwarder instead of a Universal Forwarder.</P> Thu, 02 May 2013 17:31:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-event-logs-from-a-Universal-Forwarder/m-p/22602#M3507 Ayn 2013-05-02T17:31:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-event-logs-from-a-Universal-Forwarder/m-p/22603#M3508 <P>Yes, I know I can't do it at the UF, but I want to drop the events on the Indexer before they get indexed.</P> <P>Thanks</P> Thu, 02 May 2013 17:33:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-event-logs-from-a-Universal-Forwarder/m-p/22603#M3508 mokeefe 2013-05-02T17:33:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-event-logs-from-a-Universal-Forwarder/m-p/22604#M3509 <P>Yes, I know I can't do it at the UF, but I want to drop the events on the Indexer before they get indexed.</P> <P>Thanks</P> Thu, 02 May 2013 17:34:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-event-logs-from-a-Universal-Forwarder/m-p/22604#M3509 mokeefe 2013-05-02T17:34:22Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-event-logs-from-a-Universal-Forwarder/m-p/22605#M3510 <P>Your question title announces the question is regarding filtering the events on a UF, so...</P> <P>If you want help with the specific details you need to provide us with more information than that it "didn't work" - it's impossible to know exactly what you tried and what the exact result was. General info on event filtering is available here: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest">http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest</A></P> Thu, 02 May 2013 17:37:57 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-event-logs-from-a-Universal-Forwarder/m-p/22605#M3510 Ayn 2013-05-02T17:37:57Z https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-event-logs-from-a-Universal-Forwarder/m-p/22606#M3511 <P>Check out new Windows Event Log capabilities in Splunk 6.1:</P> <P><A href="http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/">http://blogs.splunk.com/2014/05/23/controlling-4662-messages-in-the-windows-security-event-log/</A></P> Fri, 31 Oct 2014 18:03:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-filter-Windows-event-logs-from-a-Universal-Forwarder/m-p/22606#M3511 Lowell 2014-10-31T18:03:09Z