https://community.splunk.com/t5/Splunk-Search/How-to-send-events-in-JSON-format-to-NullQueue/m-p/340335#M100940 <P>Did you restart splunkd after making changes?</P> Thu, 02 Nov 2017 14:18:17 GMT skoelpin 2017-11-02T14:18:17Z https://community.splunk.com/t5/Splunk-Search/How-to-send-events-in-JSON-format-to-NullQueue/m-p/340332#M100937 <P>Hello,</P> <P>We are puling JSON data from cloud, can I trim out the events with EventId=5156 and 5158 from the events with sourcetype "mscs:storage:table". Below is the sample event and _raw event?</P> <P>{ [-] <BR /> Channel: Security<BR /><BR /> DeploymentId: fgdfgfdgfdgfgngzser3<BR /><BR /> Description: The Windows Filtering Platform has permitted a connection.</P> <P>Application Information:<BR /> Process ID: 964<BR /> Application Name: \device\harddisk\program files\splunkuniversalforwarder\bin\splunkd.exe</P> <P>Network Information:<BR /> Direction: Outbound<BR /> Source Address: 1.11.12.13<BR /> Source Port: 57564<BR /> Destination Address: 21.22.23.24<BR /> Destination Port: 9997<BR /> Protocol: 6</P> <P>Filter Information:<BR /> Filter Run-Time ID: 119665<BR /> Layer Name: Connect<BR /> Layer Run-Time ID: 48<BR /><BR /> EventId: 5156<BR /><BR /> EventTickCount: 4545656687812<BR /><BR /> <A href="mailto:EventTickCount@odata.type">EventTickCount@odata.type</A>: Edm.Int64<BR /><BR /> Level: 0<BR /><BR /> Opcode: 0<BR /><BR /> PartitionKey: 565656548896<BR /><BR /> Pid: 4<BR /><BR /> PreciseTimeStamp: 2017-10-31T19:50:52.5322979Z<BR /><BR /> <A href="mailto:PreciseTimeStamp@odata.type">PreciseTimeStamp@odata.type</A>: Edm.DateTime<BR /><BR /> ProviderGuid: {asa-dfdfdf-4994-sads-fdfdf}<BR /><BR /> ProviderName: Microsoft-Windows-Security-Auditing<BR /><BR /> RawXml: <EVENT xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><SYSTEM><PROVIDER name="Microsoft-Windows-Security-Auditing" guid="{dfdf-5478-4994-fdf-df}"></PROVIDER><EVENTID>5156</EVENTID><VERSION>1</VERSION><LEVEL>0</LEVEL><TASK>12810</TASK><OPCODE>0</OPCODE><KEYWORDS>0x8020000000000000</KEYWORDS><TIMECREATED systemtime="2017-10-31T19:50:52.532297900Z"></TIMECREATED><EVENTRECORDID>4344544</EVENTRECORDID><CORRELATION></CORRELATION><EXECUTION processid="4" threadid="14808"></EXECUTION><CHANNEL>Security</CHANNEL><COMPUTER>test.tt.com</COMPUTER><SECURITY></SECURITY></SYSTEM><EVENTDATA><DATA name="ProcessID">964</DATA><DATA name="Application">\device\harddisk\program files\splunkuniversalforwarder\bin\splunkd.exe</DATA><DATA name="Direction">%%14593</DATA><DATA name="SourceAddress">1.11.12.13</DATA><DATA name="SourcePort">57564</DATA><DATA name="DestAddress">21.22.23.24</DATA><DATA name="DestPort">9997</DATA><DATA name="Protocol">6</DATA><DATA name="FilterRTID">119665</DATA><DATA name="LayerName">%%14611</DATA><DATA name="LayerRTID">48</DATA><DATA name="RemoteUserID">S-1-0-0</DATA><DATA name="RemoteMachineID">S-1-0-0</DATA></EVENTDATA></EVENT><BR /><BR /> Role: IaaS<BR /><BR /> RoleInstance: _test.tt.com<BR /><BR /> RowIndex: 000000010755656<BR /><BR /> RowKey: dfttresttvsdfsfsf000000019 <BR /> TIMESTAMP: 2017-10-31T19:50:00Z<BR /><BR /> <A href="mailto:TIMESTAMP@odata.type">TIMESTAMP@odata.type</A>: Edm.DateTime<BR /><BR /> Task: 12810<BR /><BR /> Tid: 14808<BR /><BR /> Timestamp: 2017-10-31T19:51:26.4589637Z<BR /><BR /> odata.etag: W/"datetime'2017-10-31T19%3A51%3A26.4589637Z'" <BR /> }</P> <P>_raw event:</P> <P>{"Timestamp": "2017-10-31T19:51:26.4589637Z", "ProviderName": "Microsoft-Windows-Security-Auditing", "RawXml": "5156101281000x8020000000000000fdfdfe323Securitytest.tt.com964\device\harddis3\program files\splunkuniversalforwarder\bin\splunkd.exe%%145931.11.12.135756421.22.23.2499976119665%%1461148S-1-0-0S-1-0-0", "RowIndex": "0000000107374703779", "TIMESTAMP": "2017-10-31T19:50:00Z", "EventTickCount": "dfdf", "PartitionKey": "0636988789789835", "Tid": 14808, "Role": "IaaS", "<A href="mailto:EventTickCount@odata.type">EventTickCount@odata.type</A>": "Edm.Int64", "Channel": "Security", "Task": 12810, "<A href="mailto:PreciseTimeStamp@odata.type">PreciseTimeStamp@odata.type</A>": "Edm.DateTime", "PreciseTimeStamp": "2017-10-31T19:50:52.5322979Z", "Level": 0, "ProviderGuid": "{erer-5478-4994-errer-3E3B0328C30D}", "RoleInstance": "_test.tt.com", "<A href="mailto:TIMESTAMP@odata.type">TIMESTAMP@odata.type</A>": "Edm.DateTime", "EventId": 5156, "Description": "The Windows Filtering Platform has permitted a connection.\n\nApplication Information:\n\tProcess ID:\t\t964\n\tApplication Name:\t\device\harddisk\program files\splunkuniversalforwarder\bin\splunkd.exe\n\nNetwork Information:\n\tDirection:\t\tOutbound\n\tSource Address:\t\t1.11.12.13\n\tSource Port:\t\t57564\n\tDestination Address:\t21.22.23.24\n\tDestination Port:\t\t9997\n\tProtocol:\t\t6\n\nFilter Information:\n\tFilter Run-Time ID:\t119665\n\tLayer Name:\t\tConnect\n\tLayer Run-Time ID:\t48", "Pid": 4, "DeploymentId": "c9f4631c-fdfdfff-6a27dbd29a02", "odata.etag": "W/\"datetime'2017-10-31T19%3A51%3A26.4589637Z'\"", "RowKey": "c9f4631c-bf16-dferersfssdf</P> Tue, 31 Oct 2017 20:15:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-events-in-JSON-format-to-NullQueue/m-p/340332#M100937 kiran331 2017-10-31T20:15:35Z https://community.splunk.com/t5/Splunk-Search/How-to-send-events-in-JSON-format-to-NullQueue/m-p/340333#M100938 <P>Try this </P> <P><CODE>props.conf</CODE></P> <PRE><CODE>[mscs:storage:table] TRANSFORMS-DiscardWinEvents = eliminate-eventids </CODE></PRE> <P><CODE>transforms.conf</CODE></P> <PRE><CODE> [eliminate-eventids] REGEX=EventId=(5156|5158) DEST_KEY=queue FORMAT=nullQueue </CODE></PRE> Wed, 01 Nov 2017 15:39:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-events-in-JSON-format-to-NullQueue/m-p/340333#M100938 skoelpin 2017-11-01T15:39:18Z https://community.splunk.com/t5/Splunk-Search/How-to-send-events-in-JSON-format-to-NullQueue/m-p/340334#M100939 <P>I tried this one on the Heavy forwarder, its not working.</P> Thu, 02 Nov 2017 14:15:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-events-in-JSON-format-to-NullQueue/m-p/340334#M100939 kiran331 2017-11-02T14:15:20Z https://community.splunk.com/t5/Splunk-Search/How-to-send-events-in-JSON-format-to-NullQueue/m-p/340335#M100940 <P>Did you restart splunkd after making changes?</P> Thu, 02 Nov 2017 14:18:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-events-in-JSON-format-to-NullQueue/m-p/340335#M100940 skoelpin 2017-11-02T14:18:17Z https://community.splunk.com/t5/Splunk-Search/How-to-send-events-in-JSON-format-to-NullQueue/m-p/340336#M100941 <P>Yes, I restarted it.</P> Thu, 02 Nov 2017 14:34:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-events-in-JSON-format-to-NullQueue/m-p/340336#M100941 kiran331 2017-11-02T14:34:47Z https://community.splunk.com/t5/Splunk-Search/How-to-send-events-in-JSON-format-to-NullQueue/m-p/340337#M100942 <P>Your regex won't match. The _raw data contais this: ...,"EventId": 5156,... therefore your regex in the transforms.conf stanza should go like this:</P> <PRE><CODE>REGEX = \"EventId\":\s*(?:5156|5158) </CODE></PRE> Tue, 05 Dec 2017 07:54:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-send-events-in-JSON-format-to-NullQueue/m-p/340337#M100942 macvili 2017-12-05T07:54:27Z