Getting Data In

Can you help me filter out wineventlog eventcode 4656 account names in transforms.conf?

ralphw_SAIC
Path Finder

I am trying to figure out how to filter out account names that end in $ for the 4656 event codes. i am currently using the following in transforms.conf:

REGEX = (?ms)(.*EventCode=4656.*)(Subject:.*Account Name:(\s*\w+\$)
DEST_KEY = queue
FORMAT = nullQueue

I have tried multiple combinations of the above and it never filters out.

0 Karma
1 Solution

splunkjas1
Path Finder

This worked for me:

(?s)(EventCode=4656.*Account Name:[^\$]+\$)

View solution in original post

splunkjas1
Path Finder

This worked for me:

(?s)(EventCode=4656.*Account Name:[^\$]+\$)
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...