https://community.splunk.com/t5/Getting-Data-In/Index-some-of-a-certain-event-code/m-p/499310#M85115 <P>The blacklist has precedence over whitelist, so in this case the blacklist will not index any data from security event 4688. </P> <P>"It is not necessary to define both a whitelist and a blacklist in a stanza. They are independent settings. If you do define both and a file matches both, the forwarder does not index that file as blacklist overrides whitelist." this note are from this document</P> <P><A href="https://docs.splunk.com/Documentation/SplunkCloud/7.2.7/Data/Whitelistorblacklistspecificincomingdata">https://docs.splunk.com/Documentation/SplunkCloud/7.2.7/Data/Whitelistorblacklistspecificincomingdata</A></P> <P>My suggestion is to use this inputs.conf only<BR /> [WinEventLog://Security]<BR /> disabled = 0<BR /> index = test<BR /> interval = 60<BR /> whitelist = 4688<BR /> sourcetype = Security4688</P> <P>This props.conf<BR /> [Security4688]<BR /> TRANSFORMS-set = setnull,useronly4688</P> <P>and the transforms, because here you are send all the security event 4688 and others to null queue, except those ones starting with S-1-5-21-</P> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[useronly4688]<BR /> REGEX = S-1-5-21-<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> Wed, 09 Oct 2019 00:36:27 GMT ivanreis 2019-10-09T00:36:27Z https://community.splunk.com/t5/Getting-Data-In/Index-some-of-a-certain-event-code/m-p/499307#M85112 <P>Follow-up (ish) to <A href="https://answers.splunk.com/answers/757315/why-isnt-my-transforms-working.html">https://answers.splunk.com/answers/757315/why-isnt-my-transforms-working.html</A> as I let it sit idle for a while.</P> <P>I want to index Event Code 4688: <A href="https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688">https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688</A> Problem is that it generates a high volume of events. I determined I can filter the field <STRONG>Security_ID</STRONG> for values starting with <EM>S-1-5-21-</EM> (includes real users only). I want this to apply only to event code 4688. All other events should process normally.</P> <P><STRONG>inputs.conf (forwarder app)</STRONG></P> <PRE><CODE>[WinEventLog://Security] disabled = 0 index = test interval = 60 blacklist = 4688 [WinEventLog://Security] disabled = 0 index = test interval = 60 whitelist = 4688 sourcetype = Security4688 </CODE></PRE> <P><STRONG>\etc\apps\myapp\local\props.conf</STRONG></P> <PRE><CODE>[Security4688] TRANSFORMS-set = setnull,useronly4688 </CODE></PRE> <P><STRONG>\etc\apps\myapp\local\transforms.conf</STRONG></P> <PRE><CODE>[setnull] REGEX = . DEST_KEY = queue FORMAT = nullQueue [useronly4688] REGEX = S-1-5-21- DEST_KEY = queue FORMAT = indexQueue </CODE></PRE> <P>My thought was to have the forwarder change the sourcetype of event 4688, and leave all others alone. On the server, props can use that sourcetype to only use the regular expression on event 4688, and send non-matches to nullQueue. What's wrong here? Is it my use of duplicate stanzas?</P> Tue, 08 Oct 2019 18:27:33 GMT https://community.splunk.com/t5/Getting-Data-In/Index-some-of-a-certain-event-code/m-p/499307#M85112 tmontney 2019-10-08T18:27:33Z https://community.splunk.com/t5/Getting-Data-In/Index-some-of-a-certain-event-code/m-p/499308#M85113 <P>They're not really duplicate stanzas, just the same stanza with multiple definitions. Splunk merges all attributes with the same stanza name into a single stanza. So in this case you'll end up with EventCode 4688 on both the whitelist and blacklist.</P> Tue, 08 Oct 2019 18:43:07 GMT https://community.splunk.com/t5/Getting-Data-In/Index-some-of-a-certain-event-code/m-p/499308#M85113 richgalloway 2019-10-08T18:43:07Z https://community.splunk.com/t5/Getting-Data-In/Index-some-of-a-certain-event-code/m-p/499309#M85114 <P>So how would I index the Security log, where 4688 becomes a different sourcetype, and the rest of the Security log indexes like normal? Separate apps?</P> Tue, 08 Oct 2019 21:25:42 GMT https://community.splunk.com/t5/Getting-Data-In/Index-some-of-a-certain-event-code/m-p/499309#M85114 tmontney 2019-10-08T21:25:42Z https://community.splunk.com/t5/Getting-Data-In/Index-some-of-a-certain-event-code/m-p/499310#M85115 <P>The blacklist has precedence over whitelist, so in this case the blacklist will not index any data from security event 4688. </P> <P>"It is not necessary to define both a whitelist and a blacklist in a stanza. They are independent settings. If you do define both and a file matches both, the forwarder does not index that file as blacklist overrides whitelist." this note are from this document</P> <P><A href="https://docs.splunk.com/Documentation/SplunkCloud/7.2.7/Data/Whitelistorblacklistspecificincomingdata">https://docs.splunk.com/Documentation/SplunkCloud/7.2.7/Data/Whitelistorblacklistspecificincomingdata</A></P> <P>My suggestion is to use this inputs.conf only<BR /> [WinEventLog://Security]<BR /> disabled = 0<BR /> index = test<BR /> interval = 60<BR /> whitelist = 4688<BR /> sourcetype = Security4688</P> <P>This props.conf<BR /> [Security4688]<BR /> TRANSFORMS-set = setnull,useronly4688</P> <P>and the transforms, because here you are send all the security event 4688 and others to null queue, except those ones starting with S-1-5-21-</P> <P>[setnull]<BR /> REGEX = .<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> <P>[useronly4688]<BR /> REGEX = S-1-5-21-<BR /> DEST_KEY = queue<BR /> FORMAT = indexQueue</P> Wed, 09 Oct 2019 00:36:27 GMT https://community.splunk.com/t5/Getting-Data-In/Index-some-of-a-certain-event-code/m-p/499310#M85115 ivanreis 2019-10-09T00:36:27Z