https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-successful-on-splunk-forwarder/m-p/29596#M5090 <P>Hi, </P> <P>I've installed splunk forwarder(regular) on windows server and trying to filter off certain events when sending to splunk indexer. Here is my sample configuration: </P> <P>props.conf<BR /> [WinEventLog:Security]<BR /> TRANSFORMS-null = setnull</P> <P>transform.conf<BR /> [setnull]<BR /> REGEX = (?m)^EventCode=(540|673|861)\b<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>Splunk services were stopped while I'm editing the files and enabled after.The configuration was done on the forwarder itself.I did a search where "host=serverA EventCode=540" and I still see the events.</P> <P>Any idea?</P> Fri, 13 Aug 2010 09:55:57 GMT remy06 2010-08-13T09:55:57Z https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-successful-on-splunk-forwarder/m-p/29596#M5090 <P>Hi, </P> <P>I've installed splunk forwarder(regular) on windows server and trying to filter off certain events when sending to splunk indexer. Here is my sample configuration: </P> <P>props.conf<BR /> [WinEventLog:Security]<BR /> TRANSFORMS-null = setnull</P> <P>transform.conf<BR /> [setnull]<BR /> REGEX = (?m)^EventCode=(540|673|861)\b<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>Splunk services were stopped while I'm editing the files and enabled after.The configuration was done on the forwarder itself.I did a search where "host=serverA EventCode=540" and I still see the events.</P> <P>Any idea?</P> Fri, 13 Aug 2010 09:55:57 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-successful-on-splunk-forwarder/m-p/29596#M5090 remy06 2010-08-13T09:55:57Z https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-successful-on-splunk-forwarder/m-p/29597#M5091 <P>Just making sure : When you say "I still see the events", are you referring to events that were indexed before you made your changes?</P> Fri, 13 Aug 2010 13:45:22 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-successful-on-splunk-forwarder/m-p/29597#M5091 hexx 2010-08-13T13:45:22Z https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-successful-on-splunk-forwarder/m-p/29598#M5092 <P>Is this LightWeightForwarder(LWF) or a regular forwarder? If this is LightWeightForwarder, this may not work as data is not not parsed into individual events in LWF.</P> Tue, 17 Aug 2010 04:36:16 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-successful-on-splunk-forwarder/m-p/29598#M5092 Jag 2010-08-17T04:36:16Z https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-successful-on-splunk-forwarder/m-p/29599#M5093 <P>This is working for me now..although there isn't much difference than the previous but here goes: </P> <P><CODE> [setnull]<BR /> REGEX = (?msi)^EventCode=(540|673|861)\b<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</CODE> </P> Tue, 19 Oct 2010 10:31:37 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-successful-on-splunk-forwarder/m-p/29599#M5093 remy06 2010-10-19T10:31:37Z https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-successful-on-splunk-forwarder/m-p/29600#M5094 <P>Am using a regular forwarder</P> Tue, 19 Oct 2010 10:32:07 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-successful-on-splunk-forwarder/m-p/29600#M5094 remy06 2010-10-19T10:32:07Z https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-successful-on-splunk-forwarder/m-p/29601#M5095 <P>I monitored the events after ive made the changes and still see them</P> Tue, 19 Oct 2010 10:32:35 GMT https://community.splunk.com/t5/Getting-Data-In/Filtering-windows-events-not-successful-on-splunk-forwarder/m-p/29601#M5095 remy06 2010-10-19T10:32:35Z