https://community.splunk.com/t5/Getting-Data-In/Reducing-Windows-Security-Events-flow-by-filtering-in-parsing/m-p/272631#M52373 <P>I Tried : </P> <H6>#### Windows:Security</H6> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[secsetparsing2]<BR /> REGEX=Administrator<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>[secsetparsing]<BR /> REGEX=(?m)^EventCode=(528|529)<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>but still receive non Admin events altought REGEX=Administrator in Regex PCRE Standard means "every string that contains Administrator word". I suppose the filter is not working. Does exist a way to filter in the parsing queue on a field basis ?</P> Thu, 02 Feb 2017 09:41:30 GMT fab73 2017-02-02T09:41:30Z https://community.splunk.com/t5/Getting-Data-In/Reducing-Windows-Security-Events-flow-by-filtering-in-parsing/m-p/272627#M52369 <P>In order to filter out non-administrator logon events on WinEventLog:Security sourcetype, I inserted the following stanza in transforms.conf in proper position I suppose:</P> <PRE><CODE>[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [secsetparsing2] REGEX=User_Name!=Administrator DEST_KEY = queue FORMAT = nullQueue [secsetparsing] REGEX=(?m)^EventCode=(528|529|530) DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>and in props.conf :</P> <PRE><CODE>[WinEventLog:Security] TRANSFORMS-security=setnull,secsetparsing2,secsetparsing </CODE></PRE> <P>but it doesn't work: events with User_Name different from Administrator are still coming in last minute to my indexers....any idea? Is there any error? I use Splunk 6.4.1. Any comment is appreciated.</P> Wed, 01 Feb 2017 13:54:59 GMT https://community.splunk.com/t5/Getting-Data-In/Reducing-Windows-Security-Events-flow-by-filtering-in-parsing/m-p/272627#M52369 fab73 2017-02-01T13:54:59Z https://community.splunk.com/t5/Getting-Data-In/Reducing-Windows-Security-Events-flow-by-filtering-in-parsing/m-p/272628#M52370 <P>The secsetparsing2 REGEX is written as boolean expression. It should be regular expression, you can't evaluate as field value. Instead of moving non-admins to nullQueue, you can just send admin events to indexqueue, like this</P> <PRE><CODE>[secsetparsing2] REGEX=User_Name=Administrator DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> Wed, 01 Feb 2017 16:47:28 GMT https://community.splunk.com/t5/Getting-Data-In/Reducing-Windows-Security-Events-flow-by-filtering-in-parsing/m-p/272628#M52370 somesoni2 2017-02-01T16:47:28Z https://community.splunk.com/t5/Getting-Data-In/Reducing-Windows-Security-Events-flow-by-filtering-in-parsing/m-p/272629#M52371 <P>Thanks. But which is the regular expression that match the string </P> <P>"Nome utente: Administrator" </P> <P>in source data? </P> <P>I have this event (a classic Windows Security event):</P> <P>"02/02/2017 10:06:49 AM<BR /> LogName=Security<BR /> SourceName=Security<BR /> EventCode=529<BR /> EventType=16<BR /> Type=Failure Audit<BR /> ComputerName=server01<BR /> User=SYSTEM<BR /> Sid=S-1-5-18<BR /> SidType=1<BR /> Category=2<BR /> CategoryString=Accesso/fine sess.<BR /> RecordNumber=1549305796<BR /> Message=Accesso non riuscito:</P> <PRE><CODE>Motivo: Nome utente sconosciuto o password non valida Nome utente: Administrator Dominio: MyDomain Tipo di accesso: 3 </CODE></PRE> <P>..."</P> Thu, 02 Feb 2017 09:16:22 GMT https://community.splunk.com/t5/Getting-Data-In/Reducing-Windows-Security-Events-flow-by-filtering-in-parsing/m-p/272629#M52371 fab73 2017-02-02T09:16:22Z https://community.splunk.com/t5/Getting-Data-In/Reducing-Windows-Security-Events-flow-by-filtering-in-parsing/m-p/272630#M52372 <P>Is the filter applied on source data of the event?</P> Thu, 02 Feb 2017 09:23:39 GMT https://community.splunk.com/t5/Getting-Data-In/Reducing-Windows-Security-Events-flow-by-filtering-in-parsing/m-p/272630#M52372 fab73 2017-02-02T09:23:39Z https://community.splunk.com/t5/Getting-Data-In/Reducing-Windows-Security-Events-flow-by-filtering-in-parsing/m-p/272631#M52373 <P>I Tried : </P> <H6>#### Windows:Security</H6> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[secsetparsing2]<BR /> REGEX=Administrator<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>[secsetparsing]<BR /> REGEX=(?m)^EventCode=(528|529)<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> <P>but still receive non Admin events altought REGEX=Administrator in Regex PCRE Standard means "every string that contains Administrator word". I suppose the filter is not working. Does exist a way to filter in the parsing queue on a field basis ?</P> Thu, 02 Feb 2017 09:41:30 GMT https://community.splunk.com/t5/Getting-Data-In/Reducing-Windows-Security-Events-flow-by-filtering-in-parsing/m-p/272631#M52373 fab73 2017-02-02T09:41:30Z https://community.splunk.com/t5/Getting-Data-In/Reducing-Windows-Security-Events-flow-by-filtering-in-parsing/m-p/272632#M52374 <P>It works splitting the filters by mean of two sequence of tansforms in transforms.conf and props.conf</P> <H3>Windows:Security</H3> <P>[setnull]<BR /> [secsetparsing]</P> <H3>Windows:Security</H3> <P>[setnull2]<BR /> [secsetparsing2]</P> Thu, 02 Feb 2017 10:33:30 GMT https://community.splunk.com/t5/Getting-Data-In/Reducing-Windows-Security-Events-flow-by-filtering-in-parsing/m-p/272632#M52374 fab73 2017-02-02T10:33:30Z