https://community.splunk.com/t5/Getting-Data-In/How-do-you-filter-windows-event-log/m-p/174452#M35104 <P>Set the below configs at indexer and give a try..</P> <P>props.conf</P> <PRE><CODE>[source::*:Security] TRANSFORMS-set=setnull,setparsing </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setparsing] REGEX = . DEST_KEY = queue FORMAT = indexQueue [setnull] REGEX =(?m)^EventCode=(540|538) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Fri, 24 Oct 2014 09:51:51 GMT splunker12er 2014-10-24T09:51:51Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-filter-windows-event-log/m-p/174450#M35102 <P>Hi, when I do the filtering windows log, I use the main program 6.1.4 then changed forwarder license, so Windows AD (main program changed forwarder license ) &gt;&gt; forwarder(main program changed forwarder license ) &gt;&gt; splunk index is my architecture.<BR /> I hope drop eventcode=540 and 538, I have a reference to other people's actions, but unsuccessful.</P> <P>transforms.conf</P> <P>props.conf<BR /> [WinEventLog:Security] * Or [WMI:WinEventLog:Security] Or [wmi:WinEventLog:Security] Or [source::WinEventLog:Security]<BR /> TRANSFORMS-set = delete</P> <P>[delete]<BR /> REGEX = (?msi)^EventCode=540 * Or REGEX=(?m)^EventCode=(540|538) Or REGEX=(?msi)^EventCode=(540|538) <BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> Fri, 24 Oct 2014 04:01:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-filter-windows-event-log/m-p/174450#M35102 chengyu 2014-10-24T04:01:01Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-filter-windows-event-log/m-p/174451#M35103 <P>I find this difficult to understand. </P> <P>Do you mean that you have a forwarder sending to an indexer, or that you have a forwarder running with AD sending to another forwarder, that sends to an indexer?</P> <P>Can you please show a specific case of your props.conf? Is the transforms.conf empty?</P> <P>On which system are you setting up these configurations? Are the systems Universal Forwarders or forwarders configured as Splunk Light Forwarders? </P> <P>It might be easier to use the WinEventLog filtering that is built-in to the input, for example:</P> <PRE><CODE>[WinEventLog://Security] blacklist= 540,538 </CODE></PRE> Fri, 24 Oct 2014 04:59:27 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-filter-windows-event-log/m-p/174451#M35103 jrodman 2014-10-24T04:59:27Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-filter-windows-event-log/m-p/174452#M35104 <P>Set the below configs at indexer and give a try..</P> <P>props.conf</P> <PRE><CODE>[source::*:Security] TRANSFORMS-set=setnull,setparsing </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setparsing] REGEX = . DEST_KEY = queue FORMAT = indexQueue [setnull] REGEX =(?m)^EventCode=(540|538) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Fri, 24 Oct 2014 09:51:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-filter-windows-event-log/m-p/174452#M35104 splunker12er 2014-10-24T09:51:51Z https://community.splunk.com/t5/Getting-Data-In/How-do-you-filter-windows-event-log/m-p/174453#M35105 <P>Not sure why you'd use [source::*:Security] If that works, then [source::WinEventLog:Security] would also work, and be a fair amount clearer, I think. I'd use the sourcetype myself.</P> <P>This should indeed work, however, if there are no heavy forwarders along the way.</P> <P>Filtering at the input level is more efficient, but it doesn't work with old versions of forwarders, so there's the tradeoff.</P> Fri, 24 Oct 2014 10:13:48 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-you-filter-windows-event-log/m-p/174453#M35105 jrodman 2014-10-24T10:13:48Z