Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me filter out wineventlog eventcode 4656 account names in transforms.conf?

ralphw_SAIC
Path Finder
‎09-25-2018 10:11 AM

I am trying to figure out how to filter out account names that end in $ for the 4656 event codes. i am currently using the following in transforms.conf:

REGEX = (?ms)(.*EventCode=4656.*)(Subject:.*Account Name:(\s*\w+\$)
DEST_KEY = queue
FORMAT = nullQueue

I have tried multiple combinations of the above and it never filters out.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

splunkjas1
Path Finder
‎09-25-2018 11:30 AM

This worked for me:

(?s)(EventCode=4656.*Account Name:[^\$]+\$)

View solution in original post

Reply
Solved! Jump to solution
Solution

splunkjas1
Path Finder
‎09-25-2018 11:30 AM

This worked for me:

(?s)(EventCode=4656.*Account Name:[^\$]+\$)
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...