https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307298#M92197 <P>Hello,<BR /> I would like to filter, at the indexers, events coming from WinEventLog:Security to keep only certain users .<BR /> The problem is that the list of users is really huge and contains, more or less, 1200 entries. The customer I am working for has set up a REGEX with 1199 pipes(!) for 1200 entries.<BR /> A little sample of what is inside the transforms.conf file is: </P> <PRE><CODE>REGEX = (?i)(A111111)|(A111112)|(A111118)... and so on with 1199 pipes </CODE></PRE> <P>The final result is that the indexers (2 with 12 cores and 12 GB of RAM) become unresponsive, there is huge indexing lag and a lot of broken pipe connections from Windows Universal Forwarders.<BR /> How can I keep, in a better way, only those users' events?</P> <P>Thanks in advance.</P> Wed, 29 Nov 2017 14:14:31 GMT cafissimo 2017-11-29T14:14:31Z https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307298#M92197 <P>Hello,<BR /> I would like to filter, at the indexers, events coming from WinEventLog:Security to keep only certain users .<BR /> The problem is that the list of users is really huge and contains, more or less, 1200 entries. The customer I am working for has set up a REGEX with 1199 pipes(!) for 1200 entries.<BR /> A little sample of what is inside the transforms.conf file is: </P> <PRE><CODE>REGEX = (?i)(A111111)|(A111112)|(A111118)... and so on with 1199 pipes </CODE></PRE> <P>The final result is that the indexers (2 with 12 cores and 12 GB of RAM) become unresponsive, there is huge indexing lag and a lot of broken pipe connections from Windows Universal Forwarders.<BR /> How can I keep, in a better way, only those users' events?</P> <P>Thanks in advance.</P> Wed, 29 Nov 2017 14:14:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307298#M92197 cafissimo 2017-11-29T14:14:31Z https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307299#M92198 <P>Hi @cafissimo,</P> <P>Have you tried with filtering those Users on forwarder instead of at Indexer. Please refer <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/MonitorWindowseventlogdata">http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/MonitorWindowseventlogdata</A> and search for <STRONG>Create advanced filters with 'whitelist' and 'blacklist'</STRONG>, I have tried this config with SourceName and it is working fine but with small number of SourceName. And I am not sure how Splunkforwarder behaves with 1200 User filtering and also if you want to configure Username explicitly then approach which I have provided will not work because you need to add 1200 whitelist.</P> Wed, 29 Nov 2017 14:28:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307299#M92198 harsmarvania57 2017-11-29T14:28:11Z https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307300#M92199 <P>Hi cafissimo,<BR /> I think that probably you riched the limit of the lenght of a regex and there a very higl overload on the Indexers caused by the regex!<BR /> In addition this solution isn't well manageable because for every update you have to restart all your Splunk indexers!</P> <P>Did you checked what's the difference (in license use) indexing events for all the users or if the not interesting users are less that the interesting ones?<BR /> maybe there a little difference!</P> <P>In addition: are you sure that you need all the Windows EventCodes, maybe not indexing some events you reach the same goal of users reducing.</P> <P>Anyway, to semplificate you regex, you should try to identify some common username parts (e.g.: A111) so you could limit the regex lenght, but not the work for the Indexers!</P> <P>I hope to be useful.</P> <P>Bye.<BR /> Giuseppe</P> Wed, 29 Nov 2017 14:30:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307300#M92199 gcusello 2017-11-29T14:30:00Z https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307301#M92200 <P>I have tried whitelisting @ forwarder side for Windows Event Codes (the most typical are 4624, 4625, 4634, ...) but never tried with a so big list and since I am working in a production environment with Domain Controllers I cannot make such test.<BR /> I need a proven solution.<BR /> Thank you.</P> Wed, 29 Nov 2017 14:33:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307301#M92200 cafissimo 2017-11-29T14:33:23Z https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307302#M92201 <P>I was thinking about writing a python or AWK program to optimize the REGEX, but it's not that simple in my scenario.<BR /> I am working in a PCI environment and the customer prefers to index "more" data than needed.<BR /> For the time being I have ended up writing a short REGEX that keeps all users beginning with "X" followed by 6 chars.<BR /> I was just wondering if anyone has ever faced a similar situation.<BR /> Thank you.</P> Wed, 29 Nov 2017 14:36:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307302#M92201 cafissimo 2017-11-29T14:36:58Z https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307303#M92202 <P>Hi cafissimo,I think that, if you can, the best way is to index all users (eventually reducing EventCodes) and then filter them in search, using a lookup.<BR /> Bye.<BR /> Giuseppe</P> Wed, 29 Nov 2017 14:52:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307303#M92202 gcusello 2017-11-29T14:52:18Z https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307304#M92203 <P>Yes, I know it and I agree with you, but I should change some correlation searches in Splunk App for PCI Compliance.<BR /> Other than this I'll have to check next days if indexing volume is not increasing too much.<BR /> Thanks.</P> Wed, 29 Nov 2017 14:57:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307304#M92203 cafissimo 2017-11-29T14:57:28Z https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307305#M92204 <P>If all the usernames start with an "A" and then have 6 numbers you can use this:</P> <PRE><CODE>([aA][0-9]{6}) </CODE></PRE> <P>if you just want A111111 to A112311 you can use:</P> <PRE><CODE>([aA]11[12][0-9]{3}) </CODE></PRE> Thu, 07 Dec 2017 08:26:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-keep-only-certain-users-events-from-Windows-event-log/m-p/307305#M92204 aholzel 2017-12-07T08:26:57Z