https://community.splunk.com/t5/Splunk-Search/filter-events-on-indexer/m-p/44870#M10606 <P>There are a couple of problems with this. </P> <P>First the regex in setparsing is wrong. You should start the list of numbers with an open brace and don't need the terminating .*</P> <PRE><CODE>REGEX = (?msi)^EventCode=(552|538|576|528|529) </CODE></PRE> <P>Next, you have your regex in setnull to match everything. This will send it all to the null queue. Then you pull back (if the regex is fixed) the ones you want. This is inefficient so you want to create a regex to catch only what you want to throw away.</P> <P>I would do this as follows:-</P> <P><STRONG>On the indexer</STRONG></P> <P>props.conf</P> <PRE><CODE>[WinEventLog:Security] TRANSFORMS-set= setnull </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setnull] REGEX = (?msi)^EventCode=(?!(552|538|576|528|529)\b) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>The ?! in this regex is sayng NOT what is in this bracket and the \b is making sure it doesn't match 5221, 5385 etc.</P> <P>By the way, the <CODE>FORMAT = indexQueue</CODE> is telling splunk to put the event back in the indexing queue and it will use whatever index was defined in inputs.conf</P> <P>Bob</P> Thu, 05 Jan 2012 13:17:41 GMT BobM 2012-01-05T13:17:41Z https://community.splunk.com/t5/Splunk-Search/filter-events-on-indexer/m-p/44869#M10605 <P>I want to filter some types of events at my indexer, that are received from several universal forwarders.</P> <P>I try something similar like this:</P> <P><A href="http://splunk-base.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk">http://splunk-base.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk</A></P> <P>However I'm not receiving any events on my index. </P> <UL> <LI>Am I missing some configuration or some config file?</LI> <LI>How do filter and index only those events on the regex?</LI> <LI>The target index only needs to be on the univ forwarder inputs.conf file right?</LI> <LI>The dropped events sent to nullQueue are never indexed correct? They are dropped before the index process..?</LI> </UL> <P>Any help is much appreciated. </P> <P>My configuration files are the following:</P> <P>**</P> <H2>INDEXER:</H2> <P>**</P> <P><STRONG>props.conf</STRONG></P> <P>[WinEventLog:Security]</P> <P>TRANSFORMS-set= setnull,setparsing</P> <P><STRONG>transforms.conf</STRONG></P> <P>[setnull]</P> <P>REGEX = .</P> <P>DEST_KEY = queue</P> <P>FORMAT = nullQueue</P> <P>[setparsing]</P> <P>REGEX = (?msi)^EventCode=552|538|576|528|529).*</P> <P>DEST_KEY = queue</P> <P>FORMAT = indexQueue (I don't fully understand the purpose of this field! Should it have the target index?)</P> <H2>Univ. Forwarder</H2> <P><STRONG>inputs.conf</STRONG></P> <P>[WinEventLog:Security]</P> <P>disabled = 0</P> <P>index = myIndex</P> <P>start_from = oldest</P> <P><STRONG>outputs.conf</STRONG></P> <P>[tcpout]</P> <P>defaultGroup=(myServer)_9997</P> <P>[tcpout:(myServer)_9997]</P> <P>server=(myServer):9997</P> <P>useACK = true</P> <P>[tcpout-server://(myServer):9997]</P> <P>useACK = true</P> Thu, 05 Jan 2012 12:21:46 GMT https://community.splunk.com/t5/Splunk-Search/filter-events-on-indexer/m-p/44869#M10605 fernandoandre 2012-01-05T12:21:46Z https://community.splunk.com/t5/Splunk-Search/filter-events-on-indexer/m-p/44870#M10606 <P>There are a couple of problems with this. </P> <P>First the regex in setparsing is wrong. You should start the list of numbers with an open brace and don't need the terminating .*</P> <PRE><CODE>REGEX = (?msi)^EventCode=(552|538|576|528|529) </CODE></PRE> <P>Next, you have your regex in setnull to match everything. This will send it all to the null queue. Then you pull back (if the regex is fixed) the ones you want. This is inefficient so you want to create a regex to catch only what you want to throw away.</P> <P>I would do this as follows:-</P> <P><STRONG>On the indexer</STRONG></P> <P>props.conf</P> <PRE><CODE>[WinEventLog:Security] TRANSFORMS-set= setnull </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[setnull] REGEX = (?msi)^EventCode=(?!(552|538|576|528|529)\b) DEST_KEY = queue FORMAT = nullQueue </CODE></PRE> <P>The ?! in this regex is sayng NOT what is in this bracket and the \b is making sure it doesn't match 5221, 5385 etc.</P> <P>By the way, the <CODE>FORMAT = indexQueue</CODE> is telling splunk to put the event back in the indexing queue and it will use whatever index was defined in inputs.conf</P> <P>Bob</P> Thu, 05 Jan 2012 13:17:41 GMT https://community.splunk.com/t5/Splunk-Search/filter-events-on-indexer/m-p/44870#M10606 BobM 2012-01-05T13:17:41Z https://community.splunk.com/t5/Splunk-Search/filter-events-on-indexer/m-p/44871#M10607 <P>I have understand more clearly the mechanism with your explanation than with documentation and other posts.</P> <P>I have tested for 1hour now and it works perfectly. </P> <P>Thank you for your assistance.</P> Thu, 05 Jan 2012 16:08:27 GMT https://community.splunk.com/t5/Splunk-Search/filter-events-on-indexer/m-p/44871#M10607 fernandoandre 2012-01-05T16:08:27Z https://community.splunk.com/t5/Splunk-Search/filter-events-on-indexer/m-p/44872#M10608 <P>Hi ,<BR /> I am trying to nullify the windows event log which are of "type=Information" and i want only the events having errors and warnings.<BR /> i am not able to achieve kindly help .<BR /> I am using below:</P> <P>props.conf</P> <P>[WinEventLog:Application]<BR /> TRANSFORMS-set= setnull</P> <P>transforms.conf</P> <P>[setnull]<BR /> REGEX = "Type=Information"<BR /> DEST_KEY = queue<BR /> FORMAT = nullQueue</P> Tue, 26 Sep 2017 07:41:52 GMT https://community.splunk.com/t5/Splunk-Search/filter-events-on-indexer/m-p/44872#M10608 amit2301 2017-09-26T07:41:52Z