To limit the indexing of some WinEventLogs, I was using a nullQueue filter at indextime as described here :
http://docs.splunk.com/Documentation/Splunk/6.0.1/Forwarding/Routeandfilterdatad#Filter_WMI_events
It helps limiting the volume, and getting rid of some useless events.
On the forwarder in inputs.conf
[WinEventLog:Security]
disabled=false
on the indexers in props.conf
[WinEventLog:Security]
TRANSFORMS-myWonderFilter=getRidOfThoseEventCodes
and in transforms.conf
[getRidOfThoseEventCodes]
REGEX=(?m)^EventCode=(592|593|594|1523)
DEST_KEY=queue
FORMAT=nullQueue
It works, but the events are still collected and forwarded. I heard about a new method in splunk 6.* to filter at the forwarder level. Any examples ?
There is a new method, explained here
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/MonitorWindowsdata
You can setup a blacklist and a whitelist in the inputs.conf on the windows forwarders.
The filter apply only to the EventCodes, but can use a list of codes, or a range.
The advantage is that the events are not collected on the first place, reducing the network traffic, and the cpu usage on the indexers to filter using the regex.
example of your filter on the new version
on the forwarder in inputs.conf
[WinEventLog:Security]
disabled=false
whitelist=592-594,1523
There is a new method, explained here
http://docs.splunk.com/Documentation/Splunk/6.0.1/Data/MonitorWindowsdata
You can setup a blacklist and a whitelist in the inputs.conf on the windows forwarders.
The filter apply only to the EventCodes, but can use a list of codes, or a range.
The advantage is that the events are not collected on the first place, reducing the network traffic, and the cpu usage on the indexers to filter using the regex.
example of your filter on the new version
on the forwarder in inputs.conf
[WinEventLog:Security]
disabled=false
whitelist=592-594,1523