I want to reduce index volume by taking advantage of the advanced configuration options to remove extra text and normalize inappropriate values in both Classic and XML WinEventLog events by using SEDCMD as introduced in the Configure props.conf section of Configure the Splunk Add-on for Windows documentation.
To reduce human error and reinventing the wheel, would anyone who created this be willing to share that part of their configuration file?
The official documentation has been updated to capture this guidance. See Configure the Splunk Add-on for Windows within Deploy and Use the Splunk Add-on for Windows for the official guidance.
The official documentation has been updated to capture this guidance. See Configure the Splunk Add-on for Windows within Deploy and Use the Splunk Add-on for Windows for the official guidance.
Absolutely! Here's just those sections. Notice that the explanations still live in the Splunk_TA_windows/default/props.conf
so read there to better understand what you're doing.
Make sure you append this to (or create) a Splunk_TA_windows/local/props.conf
:
## Explanations available within default/props.conf. See https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/ConfigurationConfigure_props.conf
[source::WinEventLog:System]
SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g
[source::WinEventLog:Security]
SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/
SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
SEDCMD-remove_ffff = s/::ffff://g
SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g
#For XmlWinEventLog:Security
SEDCMD-cleanxmlsrcport = s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
SEDCMD-cleanxmlsrcip = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/
[source::WinEventLog:ForwardedEvents]
SEDCMD-remove_ffff = s/::ffff://g
SEDCMD-cleansrcipxml = s/<Data Name='IpAddress'>(\:\:1|127\.0\.0\.1)<\/Data>/<Data Name='IpAddress'><\/Data>/
SEDCMD-cleansrcportxml=s/<Data Name='IpPort'>0<\/Data>/<Data Name='IpPort'><\/Data>/
SEDCMD-clean_rendering_info_block = s/<RenderingInfo Culture='.*'>(?s)(.*)<\/RenderingInfo>//
[WMI:WinEventLog:System]
SEDCMD-clean_info_text_from_winsystem_events_this_event = s/This event is generated[\S\s\r\n]+$//g
[WMI:WinEventLog:Security]
SEDCMD-windows_security_event_formater = s/(?m)(^\s+[^:]+\:)\s+-?$/\1/g
SEDCMD-windows_security_event_formater_null_sid_id = s/(?m)(:)(\s+NULL SID)$/\1/g s/(?m)(ID:)(\s+0x0)$/\1/g
SEDCMD-cleansrcip = s/(Source Network Address: (\:\:1|127\.0\.0\.1))/Source Network Address:/
SEDCMD-cleansrcport = s/(Source Port:\s*0)/Source Port:/
SEDCMD-remove_ffff = s/::ffff://g
SEDCMD-clean_info_text_from_winsecurity_events_certificate_information = s/Certificate information is only[\S\s\r\n]+$//g
SEDCMD-clean_info_text_from_winsecurity_events_token_elevation_type = s/Token Elevation Type indicates[\S\s\r\n]+$//g
SEDCMD-clean_info_text_from_winsecurity_events_this_event = s/This event is generated[\S\s\r\n]+$//g
Finally, it's important to recognize that SEDCMD
usage causes an indexer increase processing of the data. As a result, there will be a related uptick in resource usage and processing time for each event which, over a large enough volume of affected data, could produce a 'latency' or slight delay in time from receiving and writing events.
Fortunately, this is easily mitigated by a healthy scaling of indexers and an even distribution of events from the forwarders to indexers. Ultimately, these SEDCMD
s produce a strong improvement in search performance. This performance improvement easily outweighs the additional indexer processing.