Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

Filtering local input data - problem

btester
New Member
โ€Ž01-11-2011 02:04 PM

I have been trying for 2-3 days to get windows event log data to be filtered, and specifically dump a certain event id. After hours of attempts I decided to just get ALL event log data to dump to nullQueue and yet none of my attempts have been successful.

I have read several threads on the splunk site on how to setup nullQueue forwarding, but I am missing something. If anybody can shed light on this it will be appreciated.

In my current config %SPLUNK%\etc\system\local

In props.conf

[WinEventLog:Security]
TRANSFORMS-null = nullevent

in transforms.conf

[nullevent]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

I have also tried in props.conf

[wmi]
TRANSFORMS-null = nullevent

[source::WinEventlog:Security]
TRANSFORMS-null = nullevent

however my security events continue to come in. This is a test only, once I am sure all events are being filtered I will seutp appropriate regex statements to filter out unnecessary data.

Tags (2)
0 Karma
Reply

wollinet
Path Finder
โ€Ž04-06-2011 11:35 AM

Despite what's mentioned in the documentation, I think you need REGEX = (.). I had a similar problem in a different scenarion and it seems that transforms only work if they have a matching group.

0 Karma
Reply

MarioM
Motivator
โ€Ž01-11-2011 03:21 PM

did you try to add (?m) in front of your regex and restart splunk services? Example: In props.conf: 

[WinEventLog:Security]
TRANSFORMS-null = nullevent

In transforms.conf

[nullevent]
REGEX = (?m)^EventCode=(592|593)
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply