<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Filter WinEventLog events based on the EventCodes in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Filter-WinEventLog-events-based-on-the-EventCodes/m-p/192753#M38462</link>
    <description>&lt;P&gt;There is a new method, explained here &lt;BR /&gt;
&lt;A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/MonitorWindowsdata"&gt;http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/MonitorWindowsdata&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;You can setup a blacklist and a whitelist in the inputs.conf on the windows forwarders.&lt;BR /&gt;
The filter apply only to the EventCodes, but can use a list of codes, or a range.&lt;BR /&gt;
The advantage is that the events are not collected on the first place, reducing the network traffic, and the cpu usage on the indexers to filter using the regex.&lt;/P&gt;

&lt;P&gt;example of your filter on the new version&lt;BR /&gt;
on the forwarder in inputs.conf&lt;BR /&gt;
&lt;CODE&gt;&lt;BR /&gt;
[WinEventLog:Security]&lt;BR /&gt;
disabled=false&lt;BR /&gt;
whitelist=592-594,1523&lt;BR /&gt;
&lt;/CODE&gt;&lt;/P&gt;</description>
    <pubDate>Tue, 31 Dec 2013 21:35:44 GMT</pubDate>
    <dc:creator>yannK</dc:creator>
    <dc:date>2013-12-31T21:35:44Z</dc:date>
    <item>
      <title>Filter WinEventLog events based on the EventCodes</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filter-WinEventLog-events-based-on-the-EventCodes/m-p/192752#M38461</link>
      <description>&lt;P&gt;To limit the indexing of some WinEventLogs, I was using a nullQueue filter at indextime as described here :&lt;BR /&gt;
 &lt;A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/Forwarding/Routeandfilterdatad#Filter_WMI_events"&gt;http://docs.splunk.com/Documentation/Splunk/6.0.1/Forwarding/Routeandfilterdatad#Filter_WMI_events&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;It helps limiting the volume, and getting rid of some useless events.&lt;/P&gt;

&lt;P&gt;On the forwarder in inputs.conf&lt;BR /&gt;
&lt;CODE&gt;&lt;BR /&gt;
[WinEventLog:Security]&lt;BR /&gt;
disabled=false&lt;BR /&gt;
&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;on the indexers in props.conf&lt;BR /&gt;
&lt;CODE&gt;&lt;BR /&gt;
[WinEventLog:Security]&lt;BR /&gt;
TRANSFORMS-myWonderFilter=getRidOfThoseEventCodes&lt;BR /&gt;
&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;and in transforms.conf&lt;BR /&gt;
&lt;CODE&gt;&lt;BR /&gt;
[getRidOfThoseEventCodes]&lt;BR /&gt;
REGEX=(?m)^EventCode=(592|593|594|1523)&lt;BR /&gt;
DEST_KEY=queue&lt;BR /&gt;
FORMAT=nullQueue&lt;BR /&gt;
&lt;/CODE&gt;&lt;/P&gt;

&lt;P&gt;It works, but the events are still collected and forwarded. I heard about a new method in splunk 6.* to filter at the forwarder level. Any examples ? &lt;/P&gt;</description>
      <pubDate>Tue, 31 Dec 2013 21:32:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filter-WinEventLog-events-based-on-the-EventCodes/m-p/192752#M38461</guid>
      <dc:creator>mataharry</dc:creator>
      <dc:date>2013-12-31T21:32:34Z</dc:date>
    </item>
    <item>
      <title>Re: Filter WinEventLog events based on the EventCodes</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Filter-WinEventLog-events-based-on-the-EventCodes/m-p/192753#M38462</link>
      <description>&lt;P&gt;There is a new method, explained here &lt;BR /&gt;
&lt;A href="http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/MonitorWindowsdata"&gt;http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/MonitorWindowsdata&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;You can setup a blacklist and a whitelist in the inputs.conf on the windows forwarders.&lt;BR /&gt;
The filter apply only to the EventCodes, but can use a list of codes, or a range.&lt;BR /&gt;
The advantage is that the events are not collected on the first place, reducing the network traffic, and the cpu usage on the indexers to filter using the regex.&lt;/P&gt;

&lt;P&gt;example of your filter on the new version&lt;BR /&gt;
on the forwarder in inputs.conf&lt;BR /&gt;
&lt;CODE&gt;&lt;BR /&gt;
[WinEventLog:Security]&lt;BR /&gt;
disabled=false&lt;BR /&gt;
whitelist=592-594,1523&lt;BR /&gt;
&lt;/CODE&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 31 Dec 2013 21:35:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Filter-WinEventLog-events-based-on-the-EventCodes/m-p/192753#M38462</guid>
      <dc:creator>yannK</dc:creator>
      <dc:date>2013-12-31T21:35:44Z</dc:date>
    </item>
  </channel>
</rss>

