Getting Data In

Can you help me filter out wineventlog eventcode 4656 account names in transforms.conf?

ralphw_SAIC
Path Finder

I am trying to figure out how to filter out account names that end in $ for the 4656 event codes. i am currently using the following in transforms.conf:

REGEX = (?ms)(.*EventCode=4656.*)(Subject:.*Account Name:(\s*\w+\$)
DEST_KEY = queue
FORMAT = nullQueue

I have tried multiple combinations of the above and it never filters out.

0 Karma
1 Solution

splunkjas1
Path Finder

This worked for me:

(?s)(EventCode=4656.*Account Name:[^\$]+\$)

View solution in original post

splunkjas1
Path Finder

This worked for me:

(?s)(EventCode=4656.*Account Name:[^\$]+\$)
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...