https://community.splunk.com/t5/Splunk-Search/Regex-on-a-WMI-security-and-Splunk-formating/m-p/98801#M25468 <P>Hi,</P> <P>I want to filter out all Successful NULL user logins from the Windows Security logs by using transforms.conf to send to the nullQueue before indexing. </P> <P>In the Search app, the lines are displayed as:</P> <PRE><CODE> ... Type=Audit Success User=NULL ... </CODE></PRE> <P>But I am not sure how to create the regex to handle both lines even though the lines come after one another. All the regex testers I have tried have not been helpful.</P> Tue, 10 May 2011 16:25:02 GMT jordans 2011-05-10T16:25:02Z https://community.splunk.com/t5/Splunk-Search/Regex-on-a-WMI-security-and-Splunk-formating/m-p/98801#M25468 <P>Hi,</P> <P>I want to filter out all Successful NULL user logins from the Windows Security logs by using transforms.conf to send to the nullQueue before indexing. </P> <P>In the Search app, the lines are displayed as:</P> <PRE><CODE> ... Type=Audit Success User=NULL ... </CODE></PRE> <P>But I am not sure how to create the regex to handle both lines even though the lines come after one another. All the regex testers I have tried have not been helpful.</P> Tue, 10 May 2011 16:25:02 GMT https://community.splunk.com/t5/Splunk-Search/Regex-on-a-WMI-security-and-Splunk-formating/m-p/98801#M25468 jordans 2011-05-10T16:25:02Z https://community.splunk.com/t5/Splunk-Search/Regex-on-a-WMI-security-and-Splunk-formating/m-p/98802#M25469 <P>By default, Splunk should extract those fields with it's automatic field extraction. For any key=value, Splunk is pretty friendly. To optimize a search that finds all of these:</P> <UL> <LI>Make sure "Type" and "User" get extracted. you may need to turn on field discovery and pick them from the field picker</LI> </UL> <P>Assuming each event contains both of these lines, here is the search:</P> <PRE><CODE>Audit Success NULL | search User=NULL Type="Audit Success" </CODE></PRE> <P>OR</P> <PRE><CODE>User=NULL Type="Audit Success" </CODE></PRE> <P>To filter these events from your results, you want to negate the terms:</P> <PRE><CODE>NOT User=NULL NOT Type="Audit Success" </CODE></PRE> Tue, 10 May 2011 17:44:33 GMT https://community.splunk.com/t5/Splunk-Search/Regex-on-a-WMI-security-and-Splunk-formating/m-p/98802#M25469 Simeon 2011-05-10T17:44:33Z https://community.splunk.com/t5/Splunk-Search/Regex-on-a-WMI-security-and-Splunk-formating/m-p/98803#M25470 <P>I'm afraid I was not clear. I want to filter them out before indexing, so I need to configure transforms.conf. That's the regex I need to figure out.</P> Tue, 10 May 2011 20:17:49 GMT https://community.splunk.com/t5/Splunk-Search/Regex-on-a-WMI-security-and-Splunk-formating/m-p/98803#M25470 jordans 2011-05-10T20:17:49Z https://community.splunk.com/t5/Splunk-Search/Regex-on-a-WMI-security-and-Splunk-formating/m-p/98804#M25471 <P>Sounds like you want to do conditional routing to the nullqueue for specific events. The following thread explains how to route to nullqueue (won't get indexed). You want to modify the regex to recognize your specific events:</P> <P><A href="http://splunk-base.splunk.com/answers/11102/can-i-devnull-a-sourcetype">http://splunk-base.splunk.com/answers/11102/can-i-devnull-a-sourcetype</A></P> Tue, 10 May 2011 21:30:13 GMT https://community.splunk.com/t5/Splunk-Search/Regex-on-a-WMI-security-and-Splunk-formating/m-p/98804#M25471 Simeon 2011-05-10T21:30:13Z https://community.splunk.com/t5/Splunk-Search/Regex-on-a-WMI-security-and-Splunk-formating/m-p/98805#M25472 <P>But that's my whole point. I need to know what the regex is ...</P> Tue, 10 May 2011 22:01:05 GMT https://community.splunk.com/t5/Splunk-Search/Regex-on-a-WMI-security-and-Splunk-formating/m-p/98805#M25472 jordans 2011-05-10T22:01:05Z https://community.splunk.com/t5/Splunk-Search/Regex-on-a-WMI-security-and-Splunk-formating/m-p/98806#M25473 <P>I ended up figuring it out eventually, with some added features:</P> <PRE><CODE>(?m)Type=Audit\sSuccess(\s+.*\s+){6}Account\sName:\s+(USERNAME1|USERNAME2) </CODE></PRE> Tue, 10 May 2011 22:58:10 GMT https://community.splunk.com/t5/Splunk-Search/Regex-on-a-WMI-security-and-Splunk-formating/m-p/98806#M25473 jordans 2011-05-10T22:58:10Z