https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Filtering-working-on-all-but-one-host/m-p/46521#M8784 <P>This is strange. Are you sure it's the heavy forwarder app that is enabled, and not the Light Forwarder app? Are both perhaps enabled? It sounds like this forwarder isn't doing parsing, because the same config works on all of the others.</P> <P>You might try putting this same props / transforms setup on your indexers, and see if that filters these away.</P> Wed, 09 May 2012 13:55:13 GMT dwaddle 2012-05-09T13:55:13Z https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Filtering-working-on-all-but-one-host/m-p/46520#M8783 <P>This is a weird situation. I have on a number of Windows hosts running the heavyweight forwarder the following in <CODE>local\props.conf</CODE></P> <PRE><CODE>[WinEventLog:Security] TRANSFORMS-null = setnull </CODE></PRE> <P>and in <CODE>local\transforms.conf</CODE></P> <PRE><CODE>[setnull] REGEX = (?msi)^EventCode=(5152|5157)\b DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>That's been in place for about six months and was working as expected across all hosts (we did not see those codes in the indexer). A couple months ago, one host was rebuilt and inadvertently, the windows app was not installed. Recently we had a flood of the above two events, plus another, 5447, from that particular host. I updated transforms.conf to add the 5447 event (propgated to all other hosts) and added the windows app to the one that was missing it (and restarted splunk all around). All the other hosts are behaving as expected. That one host is still sending the 5152, 5157 and 5447 events. I've gone so far as to remove and reinstall splunk on it but it's still sending them. What could be going wrong?</P> Tue, 08 May 2012 20:41:04 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Filtering-working-on-all-but-one-host/m-p/46520#M8783 dsg18096 2012-05-08T20:41:04Z https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Filtering-working-on-all-but-one-host/m-p/46521#M8784 <P>This is strange. Are you sure it's the heavy forwarder app that is enabled, and not the Light Forwarder app? Are both perhaps enabled? It sounds like this forwarder isn't doing parsing, because the same config works on all of the others.</P> <P>You might try putting this same props / transforms setup on your indexers, and see if that filters these away.</P> Wed, 09 May 2012 13:55:13 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Filtering-working-on-all-but-one-host/m-p/46521#M8784 dwaddle 2012-05-09T13:55:13Z https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Filtering-working-on-all-but-one-host/m-p/46522#M8785 <P>It's definitely the heavy forwarder, and there's no conflicting light forwarder on the system.</P> <P>I suppose I can try putting the filter on the indexer, but even if I do, does that have any affect on my volume limit?</P> Thu, 10 May 2012 18:22:15 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Filtering-working-on-all-but-one-host/m-p/46522#M8785 dsg18096 2012-05-10T18:22:15Z https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Filtering-working-on-all-but-one-host/m-p/46523#M8786 <P>No it doesn't. The daily license volume only counts things which make it into the index proper. If you route it to a <CODE>nullQueue</CODE> at the indexer, then it doesn't count against you.</P> Sat, 12 May 2012 15:49:37 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-Event-Filtering-working-on-all-but-one-host/m-p/46523#M8786 dwaddle 2012-05-12T15:49:37Z