topic Re: How to use regex to filter out Windows events with Account names ending with $? in Splunk Search

How to use regex to filter out Windows events with Account names ending with $?

kiran331 — Thu, 14 Sep 2017 21:14:43 GMT

How to edit props.conf and transforms.conf to exclude the windows events with event Codes 4634 at indexing time and Account_Name ending with $? Below is the sample event

Re: How to use regex to filter out Windows events with Account names ending with $?

malvidin — Thu, 14 Sep 2017 21:32:33 GMT

I recommend not using a regular expression.

<base search> NOT (EventCode="4634" OR Account_Name="*$")

If you're set on using regular expressions, try the following.

<base search>
| regex Account_Name!="\$$"
| regex EventCode!="4634"

Both searches assume you've extracted those fields. You can create a regular expression to search against the raw field, but I recommend searching against extracted fields.

If you want to go a step further, try mapping it to the Splunk CIM, and then searching against the CIM field names.

Re: How to use regex to filter out Windows events with Account names ending with $?

kiran331 — Thu, 14 Sep 2017 21:33:40 GMT

I want to ignore them at indexing time

Re: How to use regex to filter out Windows events with Account names ending with $?

malvidin — Thu, 14 Sep 2017 21:51:52 GMT

I recommend changing your question title and summary to include the information from your comment, or you might get answers that don't address your situation.

Re: How to use regex to filter out Windows events with Account names ending with $?

Sukisen1981 — Fri, 15 Sep 2017 17:06:58 GMT

Hi,

Why don't you try blacklist in inputs.conf if you are on universal forwarder?
[your stanza / what you are monitoring]
blacklist = 400
will ignore all 400 type errors

Re: How to use regex to filter out Windows events with Account names ending with $?

istutig — Fri, 20 Nov 2020 09:22:22 GMT

@kiran331 Did you find the correct regex to blacklist Account name ending with $ at index time