I have been trying for 2-3 days to get windows event log data to be filtered, and specifically dump a certain event id. After hours of attempts I decided to just get ALL event log data to dump to nullQueue and yet none of my attempts have been successful.
I have read several threads on the splunk site on how to setup nullQueue forwarding, but I am missing something. If anybody can shed light on this it will be appreciated.
In my current config %SPLUNK%\etc\system\local
In props.conf
[WinEventLog:Security]
TRANSFORMS-null = nullevent
in transforms.conf
[nullevent]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
I have also tried in props.conf
[wmi]
TRANSFORMS-null = nullevent
[source::WinEventlog:Security]
TRANSFORMS-null = nullevent
however my security events continue to come in. This is a test only, once I am sure all events are being filtered I will seutp appropriate regex statements to filter out unnecessary data.
Despite what's mentioned in the documentation, I think you need REGEX = (.). I had a similar problem in a different scenarion and it seems that transforms only work if they have a matching group.
did you try to add (?m) in front of your regex and restart splunk services? Example: In props.conf:
[WinEventLog:Security]
TRANSFORMS-null = nullevent
In transforms.conf
[nullevent]
REGEX = (?m)^EventCode=(592|593)
DEST_KEY = queue
FORMAT = nullQueue