https://community.splunk.com/t5/Getting-Data-In/filter-WinEventLog-Security-by-Account-Name/m-p/25310#M4089 <P>I've finally gotten this to work on my own.</P> <P>A few things changed. </P> <P>1) I upgraded to the newest version of Splunk<BR /> 2) I changed the regex statement to be just regex = splunkrdba<BR /> 3) I change transforms.conf to be FORMAT = nullQueue</P> <P>I believe the 1st didn't really do much, but I wanted to mention it. I think the second one finally caught what I wanted without catching anything else, and I believe the capital Q is necessary. Hope this helps someone else.</P> Mon, 11 Feb 2013 18:23:19 GMT jturnerrdba 2013-02-11T18:23:19Z https://community.splunk.com/t5/Getting-Data-In/filter-WinEventLog-Security-by-Account-Name/m-p/25308#M4087 <P>I'm running Splunk 5.0 build 140868 on a Windows 2008 R2 server. I'm trying to Audit file and folder deletes on this server, but the appropriate way to do this is to log for everyone. My Splunk service account, splunkrdba, makes changes to it's logs constantly, so I want to send these events to the null queue, but I'm having issues with the Regex. Below see my most recent props.conf, transforms.conf, and a sample log that I'm trying to prevent.</P> <P>Props.conf<BR /> [WinEventLog:Security]<BR /> TRANSFORMS-wmi= wminull</P> <P>Transforms.conf<BR /> [wminull]<BR /> REGEX = (?msi)^Accoung_Name=splunkrdba<BR /> DEST_KEY = queue<BR /> FORMAT = nullqueue</P> <P>02/08/2013 09:32:55 AM<BR /> LogName=Security<BR /> SourceName=Microsoft Windows security auditing.<BR /> EventCode=4660<BR /> EventType=0<BR /> Type=Information<BR /> ComputerName= X<BR /> TaskCategory=File System<BR /> OpCode=Info<BR /> RecordNumber=3184693<BR /> Keywords=Audit Success<BR /> Message=An object was deleted.</P> <P>Subject:<BR /> Security ID: RDBA\splunkrdba<BR /> Account Name: splunkrdba<BR /> Account Domain: RDBA<BR /> Logon ID: 0xb8bbf7</P> <P>Object:<BR /> Object Server: Security<BR /> Handle ID: 0x64</P> <P>Process Information:<BR /> Process ID: 0x1b00<BR /> Process Name: C:\Program Files\Splunk\bin\splunk-optimize.exe<BR /> Transaction ID: {00000000-0000-0000-0000-000000000000}</P> <P>Collapse back to 10 lines</P> <PRE><CODE>host=RDBALOG-002 Options| sourcetype=WinEventLog:Security Options| source=WinEventLog:Security Options </CODE></PRE> Mon, 28 Sep 2020 13:16:33 GMT https://community.splunk.com/t5/Getting-Data-In/filter-WinEventLog-Security-by-Account-Name/m-p/25308#M4087 jturnerrdba 2020-09-28T13:16:33Z https://community.splunk.com/t5/Getting-Data-In/filter-WinEventLog-Security-by-Account-Name/m-p/25309#M4088 <P>Just as an FYI, I noticed a typo in this. Transforms.conf now reads as below. This did not fix the issue however.</P> <P>[wminull]<BR /> REGEX = (?msi)^Account_Name=splunkrdba<BR /> DEST_KEY = queue<BR /> FORMAT = nullqueue</P> Mon, 28 Sep 2020 13:16:46 GMT https://community.splunk.com/t5/Getting-Data-In/filter-WinEventLog-Security-by-Account-Name/m-p/25309#M4088 jturnerrdba 2020-09-28T13:16:46Z https://community.splunk.com/t5/Getting-Data-In/filter-WinEventLog-Security-by-Account-Name/m-p/25310#M4089 <P>I've finally gotten this to work on my own.</P> <P>A few things changed. </P> <P>1) I upgraded to the newest version of Splunk<BR /> 2) I changed the regex statement to be just regex = splunkrdba<BR /> 3) I change transforms.conf to be FORMAT = nullQueue</P> <P>I believe the 1st didn't really do much, but I wanted to mention it. I think the second one finally caught what I wanted without catching anything else, and I believe the capital Q is necessary. Hope this helps someone else.</P> Mon, 11 Feb 2013 18:23:19 GMT https://community.splunk.com/t5/Getting-Data-In/filter-WinEventLog-Security-by-Account-Name/m-p/25310#M4089 jturnerrdba 2013-02-11T18:23:19Z