https://community.splunk.com/t5/Getting-Data-In/How-to-Exclude-Windows-EventTypes-in-Splunk-Heavy-Fowarder/m-p/47851#M96734 <P>I think you are close to what you want to but there is one (maybe more) error. One error was the spaces that you had in the regex, also specifying ".*^Type=Success Audit" in the regex is unnecessary. I also modified the sourcetype name in the props.conf stanza (are you actually collecting the logs via WMI?) </P> <P>Try this:</P> <P><STRONG>props.conf changes</STRONG></P> <PRE><CODE>[WinEventLog:Security] TRANSFORMS-set=setnull </CODE></PRE> <P><STRONG>transforms.conf changes</STRONG></P> <PRE><CODE>[setnull] REGEX=(?mi)^EventCode=(4674) DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> Fri, 01 Mar 2013 02:48:14 GMT sbrant_splunk 2013-03-01T02:48:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-Exclude-Windows-EventTypes-in-Splunk-Heavy-Fowarder/m-p/47850#M96733 <P>I'm trying to exclude event type "4674" from showing up in my Splunk Indexer. I'm using in Heavy Forwarder. I was making changes in the props.conf and transform.conf files in the Local file folder as opposed to the Default file folder. </P> <P>I'm using a Heavy Forwarder on a Windows 7 32-bit VMWare box.</P> <P>Here's my coding:</P> <H5>Props.conf changes</H5> <P>[WMI:WinEventLog:Security]<BR /> TRANSFORMS-set=setnull</P> <H5>Transform.conf changes</H5> <P>[setnull] REGEX =(?msi)^EventCode = (4674).*^Type=Success Audit DEST_KEY=queue FORMAT=nullQueue</P> <P>When I check my indexer, event code 4674 still appears.</P> Thu, 28 Feb 2013 23:16:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Exclude-Windows-EventTypes-in-Splunk-Heavy-Fowarder/m-p/47850#M96733 uayub 2013-02-28T23:16:04Z https://community.splunk.com/t5/Getting-Data-In/How-to-Exclude-Windows-EventTypes-in-Splunk-Heavy-Fowarder/m-p/47851#M96734 <P>I think you are close to what you want to but there is one (maybe more) error. One error was the spaces that you had in the regex, also specifying ".*^Type=Success Audit" in the regex is unnecessary. I also modified the sourcetype name in the props.conf stanza (are you actually collecting the logs via WMI?) </P> <P>Try this:</P> <P><STRONG>props.conf changes</STRONG></P> <PRE><CODE>[WinEventLog:Security] TRANSFORMS-set=setnull </CODE></PRE> <P><STRONG>transforms.conf changes</STRONG></P> <PRE><CODE>[setnull] REGEX=(?mi)^EventCode=(4674) DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> Fri, 01 Mar 2013 02:48:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Exclude-Windows-EventTypes-in-Splunk-Heavy-Fowarder/m-p/47851#M96734 sbrant_splunk 2013-03-01T02:48:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-Exclude-Windows-EventTypes-in-Splunk-Heavy-Fowarder/m-p/47852#M96735 <P>Also, be sure to put these configs in the props/transforms on the heavy forwarder and not the indexer.</P> Fri, 01 Mar 2013 03:01:17 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-Exclude-Windows-EventTypes-in-Splunk-Heavy-Fowarder/m-p/47852#M96735 sbrant_splunk 2013-03-01T03:01:17Z