https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91068#M23433 <P>[WinEventLog] inputs, whitelist / blacklist.</P> Wed, 09 Oct 2013 19:31:19 GMT sowings 2013-10-09T19:31:19Z https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91062#M23427 <P>When adding a new filter to props.conf and transforms.conf does it remove events that have already been indexed or only new incoming events?</P> <P>We are attempting to filter out all "Windows Platform Filtering" events. Is there a regex to do this, or will we need to have a regex for each Event Code?</P> <P>From a previous question I was given:</P> <PRE><CODE>(?msi)^EventCode=5156D </CODE></PRE> <P>If I search "EventCode=5156" there's plenty of results.</P> <P>I am attempting to search via:</P> <PRE><CODE>| regex _raw=(?msi)^EventCode=5156D </CODE></PRE> <P>I am unable to find anything</P> Wed, 09 Oct 2013 18:30:03 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91062#M23427 ejdavis 2013-10-09T18:30:03Z https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91063#M23428 <PRE><CODE>| regex _raw=(?msi)^EventCode=5156\D </CODE></PRE> <P>I think it was missing a \ before the D.<BR /> You can also run this without the \D</P> <PRE><CODE>| regex _raw=(?msi)^EventCode=5156 </CODE></PRE> Wed, 09 Oct 2013 18:35:13 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91063#M23428 lukejadamec 2013-10-09T18:35:13Z https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91064#M23429 <P>I'm still unable to find any results via search with either of those regex expressions</P> <P>But I am able to see thousands of events when I search, "EventCode=5156"</P> Wed, 09 Oct 2013 18:49:43 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91064#M23429 ejdavis 2013-10-09T18:49:43Z https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91065#M23430 <P>It will never remove anything from the index. You have to use the cli clear command. Technically, even "| delete" doesnt remove it from the index (masks it). </P> <P>To filter out multiple events, see this post:<BR /> <A href="http://answers.splunk.com/answers/59370/filtering-events-using-nullqueue">http://answers.splunk.com/answers/59370/filtering-events-using-nullqueue</A></P> Wed, 09 Oct 2013 18:52:11 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91065#M23430 gregbujak 2013-10-09T18:52:11Z https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91066#M23431 <P>Splunk's latest release, version 6, builds event ID filtering into the WinEventLog inputs. See <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf">inputs.conf documentation</A> for more details.</P> Wed, 09 Oct 2013 19:02:41 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91066#M23431 sowings 2013-10-09T19:02:41Z https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91067#M23432 <P>I just tested <BR /> | regex _raw=(?msi)^EventCode=5156<BR /> and it worked. You can also use<BR /> | regex EventCode=5156<BR /> I looked at the most recent inputs.conf information, but I did not see what sowings was refering to. I'm sure it is there, but will take some reading.</P> Wed, 09 Oct 2013 19:21:52 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91067#M23432 lukejadamec 2013-10-09T19:21:52Z https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91068#M23433 <P>[WinEventLog] inputs, whitelist / blacklist.</P> Wed, 09 Oct 2013 19:31:19 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91068#M23433 sowings 2013-10-09T19:31:19Z https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91069#M23434 <P>Well that does look easy.<BR /> If you are running Splunk6<BR /> Try adding<BR /> blacklist = 5156<BR /> to your inputs.conf stanza for the wmi:wineventlog:security source. And thank sowings.</P> Wed, 09 Oct 2013 19:38:56 GMT https://community.splunk.com/t5/Splunk-Search/Filtering-events-and-Windows-Platform-Filtering-events/m-p/91069#M23434 lukejadamec 2013-10-09T19:38:56Z