topic Re: data filter in Splunk Search

data filter

blebit — Mon, 28 Sep 2020 15:47:01 GMT

hello ,

@ props.conf

[host::TheHost]

TRANSFORMS-ReadData_bktfileserver = filter_ReadData

[WinEventLog:Security]
TRANSFORMS-filter4663 = filter_4663_readdata

@ transforms.conf

Filter EventCode=4663 (Filter ReadData)

[filter_4663_readdata]
REGEX = EventCode=4663.*?ReadData (or ListDirectory)
DEST_KEY = queue
FORMAT = nullQueue

Can anybody help me ??? i am trying to filter eventcode 4663 but only those who have dhe extension "ReadData (or ListDirectory)"

Re: data filter

lukejadamec — Fri, 31 Jan 2014 14:43:03 GMT

Try this:

REGEX= "(?msi)EventCode=4663.*readdata|EventCode=4663.*listdirectory"

Re: data filter

hRun — Fri, 31 Jan 2014 14:43:19 GMT

I'm not quite sure I understood your question.

What do you mean by "filter"? Extracting the field or discarding it?

At the moment, you are creating the field "filter4663" in props.conf and tie it to your regex in transforms.conf, which gets discarded by FORMAT=nullQueue. So eventcode 4663 is replaced with nothing.

The regex doesn't seem to be valid, it should look like this:

REGEX = (?i)EventCode=4663.*ReadData\s\(or\sListDirectory\)

Re: data filter

blebit — Fri, 31 Jan 2014 15:24:10 GMT

thanks for the answer,
the point is that i want to drop all eventcodes 4663 for Object access with message "ReadData", because i have too much logs. BUT 4663 is for DELETE either. thats why i want to filter based on message attached to eventcode.

Re: data filter

blebit — Fri, 31 Jan 2014 15:25:05 GMT

why 4625? i want 4663

Re: data filter

lukejadamec — Fri, 31 Jan 2014 15:46:56 GMT

That was the one I used for testing. I fixed it.
I tested this in the search window, and it worked fine.

Re: data filter

blebit — Wed, 05 Feb 2014 08:11:54 GMT

thanks. it works

Re: data filter

lukejadamec — Wed, 05 Feb 2014 13:06:19 GMT

Good news. Feel free to accept the answer.