topic Re: Filtering out the message and body fields from wineventlog in Getting Data In

Filtering out the message and body fields from wineventlog

anandhalagaras1 — Thu, 03 Jun 2021 07:06:26 GMT

Hi Team,

We are already ingesting wineventlog in splunk. So we are currently working towards the license usage reduction for wineventlog and we have the Splunk_TA_windows - 8.0.0 version installed and all the fields are getting extracted as desired. So now I can see there are two fields getting extracted i.e. One of which is the "Message" and another the field is "body"

So both of them are having the same or identical data so if we filter out both the fields or any of the field then i believe we could save few amount of licenses.

So I have tried as below in my inputs.conf stanza of my wineventlog inputs but still either the Message or body field is not getting filtered out.

[WinEventLog://Security]
disabled = 0
suppress_text = 1

[WinEventLog://System]
disabled = 0
suppress_text = 1

[WinEventLog://Application]
disabled = 0
suppress_text = 1

If it is possible i want to filter out both the fields "body" and "Message" or atleast the body field alone so that we would be able to save some licensing.

So kindly help out with the inputs for the same.

Re: Filtering out the message and body fields from wineventlog

anandhalagaras1 — Mon, 07 Jun 2021 06:48:10 GMT

Can anyone kindly help on my request please.

Re: Filtering out the message and body fields from wineventlog

venkatasri — Thu, 10 Jun 2021 01:36:39 GMT

Hi @anandhalagaras1

I have replied a solution similar to your case, you can check the same here - Solved: Windows - Filtering Forwarded Events based on LogN... - Splunk Community

Let me know how you go.

An upvote would be appreciated if it helps!

Re: Filtering out the message and body fields from wineventlog

anandhalagaras1 — Mon, 14 Jun 2021 06:15:45 GMT

@venkatasri ,

Thank you for your response. But its not filtering out for particular event id but instead I want to completely remove the field before getting ingested into Splunk.

Currently I can see two fields in our Splunk console one is "body" and another one is "Message". So when i checked the information both seems to be the same.

Example of an event:

body -- >An account was logged off. Subject: Security ID: x-xx-xx-xx-xxxxxxxxx-xxxxx-xxxxxxx-xxxxx Account Name: ABCDEFGH$ Account Domain: XX Logon ID: 1w23456ewera Logon Type: 3

Message -->An account was logged off. Subject: Security ID: x-xx-xx-xx-xxxxxxxxx-xxxxx-xxxxxxx-xxxxx Account Name: ABCDEFGH$ Account Domain: XX Logon ID: 1w23456ewera Logon Type: 3

So similarly there would be another type of "body" field and the same would be in "Message" field .

So if i remove the "body" field then we can remove the duplicate data which in turn helps to save license.

So kindly help to provide with the stanza so that i can test it out in inputs.conf

Re: Filtering out the message and body fields from wineventlog

venkatasri — Mon, 14 Jun 2021 07:30:22 GMT

Hi @anandhalagaras1

If the both fields belongs to same event they can not be dropped to save license. There is no reference in splunk docs, alternatively you can raise a support case.

----

An upvote would be appreciated if it helps!

Re: Filtering out the message and body fields from wineventlog

venkatasri — Tue, 15 Jun 2021 00:35:09 GMT

@anandhalagaras1 Alternative solution is to break the event into two different events 1 body, 1 message. If you are fully confident both having same information then you can send either body/message into nullQueue based on key-word.

---

An upvote would be appreciated if it helps!

Re: Filtering out the message and body fields from wineventlog

anandhalagaras1 — Tue, 15 Jun 2021 05:59:06 GMT

@venkatasri ,

Actually i want to send the "body" field to nullQueue. So How can I send to nullQueue do we need to write props and transforms for the same. Or should I make them stop by updating in inputs.conf kindly help me with the stanza if possible.

Re: Filtering out the message and body fields from wineventlog

venkatasri — Tue, 15 Jun 2021 06:06:28 GMT

@anandhalagaras1

If your body, message are belongs to same event which means technically that's _raw field. When you send to nullQueue entire event will be lost. Yes props and transforms conf are the way forward.

refer - transforms.conf - Splunk Documentation

Re: Filtering out the message and body fields from wineventlog

venkatasri — Tue, 15 Jun 2021 06:42:13 GMT

@anandhalagaras1 if you still wish to proceed refer this link - Solved: Filtering events using NullQueue - Splunk Community

# props.cong setting [your_sourcetype] TRANSFORMS-delete = sendtonullqueue # transforms.conf settings [sendtonullqueue] REGEX = <this_should_match_your_body_uniquely> DEST_KEY=queue FORMAT=nullQueue #Both these settings shall be deployed to indexer/HF

----

An upvote would be appreciated if it helps!