https://community.splunk.com/t5/Getting-Data-In/Window-Event-Multiline-nullQueue-Question/m-p/441220#M76922 <P>Hi<BR /> A nullQueue procedure is need in multiline data, such as in a Windows security log.<BR /> The heavy forwarder is trying to nullQueueue logs sent by a large number of universal forwarders.<BR /> If it is a name other than ComputerName=PC01 and ComputerName=PC02, I would like to send EventCode=5145 to nullQueueue.<BR /> But I have to get another EventCode.<BR /> Is there a good way?</P> <P>-- example data--<BR /> 08/09/2019 12:21:21 PM<BR /> LogName=Security<BR /> SourceName=Microsoft Windows security auditing.<BR /> EventCode=5145<BR /> EventType=0<BR /> Type=info<BR /> ComputerName=PC01</P> Fri, 09 Aug 2019 05:57:23 GMT khyoung7410 2019-08-09T05:57:23Z https://community.splunk.com/t5/Getting-Data-In/Window-Event-Multiline-nullQueue-Question/m-p/441220#M76922 <P>Hi<BR /> A nullQueue procedure is need in multiline data, such as in a Windows security log.<BR /> The heavy forwarder is trying to nullQueueue logs sent by a large number of universal forwarders.<BR /> If it is a name other than ComputerName=PC01 and ComputerName=PC02, I would like to send EventCode=5145 to nullQueueue.<BR /> But I have to get another EventCode.<BR /> Is there a good way?</P> <P>-- example data--<BR /> 08/09/2019 12:21:21 PM<BR /> LogName=Security<BR /> SourceName=Microsoft Windows security auditing.<BR /> EventCode=5145<BR /> EventType=0<BR /> Type=info<BR /> ComputerName=PC01</P> Fri, 09 Aug 2019 05:57:23 GMT https://community.splunk.com/t5/Getting-Data-In/Window-Event-Multiline-nullQueue-Question/m-p/441220#M76922 khyoung7410 2019-08-09T05:57:23Z https://community.splunk.com/t5/Getting-Data-In/Window-Event-Multiline-nullQueue-Question/m-p/441221#M76923 <P>Provided the windows events are properly parsed for multiline, you can keep specific events and discard the rest as below.</P> <P>1) Edit&nbsp;<CODE>props.conf</CODE>&nbsp;and add the following (Modify sourcetype accordingly):</P> <PRE><CODE>[winSecurityLog] TRANSFORMS-set= setnull,setparsing </CODE></PRE> <P>2) Edit&nbsp;<CODE>transforms.conf</CODE>&nbsp;and add the following:</P> <PRE><CODE>[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [setparsing] REGEX = PC0[1-2] DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P><STRONG>Reference:</STRONG> <BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Routeandfilterdatad">https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Routeandfilterdatad</A></P> Fri, 09 Aug 2019 06:21:46 GMT https://community.splunk.com/t5/Getting-Data-In/Window-Event-Multiline-nullQueue-Question/m-p/441221#M76923 jawaharas 2019-08-09T06:21:46Z https://community.splunk.com/t5/Getting-Data-In/Window-Event-Multiline-nullQueue-Question/m-p/441222#M76924 <P>It doesn't fit the above conditions.</P> Fri, 09 Aug 2019 08:42:45 GMT https://community.splunk.com/t5/Getting-Data-In/Window-Event-Multiline-nullQueue-Question/m-p/441222#M76924 khyoung7410 2019-08-09T08:42:45Z https://community.splunk.com/t5/Getting-Data-In/Window-Event-Multiline-nullQueue-Question/m-p/441223#M76925 <P>Is this your condition?</P> <P>if (ComputerName !=PC01 AND ComputerName!=PC02 AND EventCode=5145)<BR /> then<BR /> Send_To_NullQueue<BR /> else<BR /> Send_to_IndexQueue</P> Wed, 30 Sep 2020 01:43:05 GMT https://community.splunk.com/t5/Getting-Data-In/Window-Event-Multiline-nullQueue-Question/m-p/441223#M76925 jawaharas 2020-09-30T01:43:05Z