https://community.splunk.com/t5/Getting-Data-In/Trying-to-drop-Windows-Events-at-the-Indexer/m-p/33744#M6051 <P>we do it like this on our bunny farm:</P> <P>$SPLUNK_HOME/etc/system/local:<BR /> Props.conf</P> <PRE><CODE> [WinEventLog:Security] TRANSFORMS = null, keep </CODE></PRE> <P>Transforms.conf</P> <PRE><CODE>[keep] REGEX = . DEST_KEY = queue FORMAT = indexQueue [null] REGEX=EventCode=(4957|5154|5156|5158) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Mon, 23 Apr 2012 23:06:57 GMT Chubbybunny 2012-04-23T23:06:57Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-drop-Windows-Events-at-the-Indexer/m-p/33743#M6050 <P>I am attempting to drop WinEventLog:Security EventCode's at the Indexer and I am not having any success. I have read a few SplunkBase questions concerning this very topic and attempted to follow the instructions with little success. This is what I have so far.</P> <P>Props.conf</P> <P><CODE><BR /> [WinEventLog:Security]<BR /> TRANSFORMS-set = dropevents<BR /> </CODE></P> <P>Transforms.conf</P> <P><CODE><BR /> [dropevents]<BR /> REGEX = (?m)^EventCode=(4957|5154|5156|5158)<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue<BR /> </CODE></P> <P>Any ideas what I am doing wrong here?</P> Mon, 23 Apr 2012 20:58:40 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-drop-Windows-Events-at-the-Indexer/m-p/33743#M6050 rmcdougal 2012-04-23T20:58:40Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-drop-Windows-Events-at-the-Indexer/m-p/33744#M6051 <P>we do it like this on our bunny farm:</P> <P>$SPLUNK_HOME/etc/system/local:<BR /> Props.conf</P> <PRE><CODE> [WinEventLog:Security] TRANSFORMS = null, keep </CODE></PRE> <P>Transforms.conf</P> <PRE><CODE>[keep] REGEX = . DEST_KEY = queue FORMAT = indexQueue [null] REGEX=EventCode=(4957|5154|5156|5158) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> Mon, 23 Apr 2012 23:06:57 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-drop-Windows-Events-at-the-Indexer/m-p/33744#M6051 Chubbybunny 2012-04-23T23:06:57Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-drop-Windows-Events-at-the-Indexer/m-p/33745#M6052 <P>Vote the Chubby bunny up if it helps!</P> <PRE><CODE>(\__/) (='.'=) (")_(") </CODE></PRE> Mon, 23 Apr 2012 23:18:47 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-drop-Windows-Events-at-the-Indexer/m-p/33745#M6052 Chubbybunny 2012-04-23T23:18:47Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-drop-Windows-Events-at-the-Indexer/m-p/33746#M6053 <P>I appreciate the help, but for some reason this still isn't working for me. This is what I have on my box currently but is still isn't dropping anything.</P> <P>props.conf</P> <P><BR /> [WinEventLog:Security]<BR /> TRANSFORMS-set= setnull,setparsing<BR /> </P> <P>transforms.conf</P> <P><CODE><BR /> [setnull]<BR /> REGEX = EventCode=(4957|5154|5156|5158)<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</CODE></P> <P>[setparsing]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue<BR /> </P> <P>Here is a sample event</P> <P><A href="http://i.imgur.com/FmxeK.png">http://i.imgur.com/FmxeK.png</A></P> Tue, 24 Apr 2012 14:02:31 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-drop-Windows-Events-at-the-Indexer/m-p/33746#M6053 rmcdougal 2012-04-24T14:02:31Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-drop-Windows-Events-at-the-Indexer/m-p/33747#M6054 <P>The location of the props.conf or transforms.conf matters. If this is a Universal Forwarder (UF), the rules which would trigger for placing these events in the nullQueue aren't processed there. You'll need these rules on the indexer(s) instead. By contrast, if the forwarder is "heavy" (i.e. a full Splunk forwarding its log data elsewhere), the props / transforms have to be on that forwarder itself.</P> Tue, 24 Apr 2012 14:38:25 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-drop-Windows-Events-at-the-Indexer/m-p/33747#M6054 sowings 2012-04-24T14:38:25Z https://community.splunk.com/t5/Getting-Data-In/Trying-to-drop-Windows-Events-at-the-Indexer/m-p/33748#M6055 <P>Interestingly enough, even if I do this</P> <P>props.conf</P> <P><CODE><BR /> [WinEventLog:Security]<BR /> TRANSFORMS = setnull<BR /> </CODE></P> <P>transforms.conf</P> <P><CODE><BR /> [setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue<BR /> </CODE></P> <P>It doesn't drop anything. It has to be something with the sourcetype having a colon in it I imagine.</P> Tue, 24 Apr 2012 14:38:26 GMT https://community.splunk.com/t5/Getting-Data-In/Trying-to-drop-Windows-Events-at-the-Indexer/m-p/33748#M6055 rmcdougal 2012-04-24T14:38:26Z