Getting Data In

Filtering out the message and body fields from wineventlog

anandhalagaras1
Path Finder

Hi Team,

We are already ingesting wineventlog in splunk. So we are currently working towards the license usage reduction for wineventlog and we have the Splunk_TA_windows - 8.0.0 version installed and all the fields are getting extracted as desired. So now I can see there are two fields getting extracted i.e. One of which is the "Message" and another the field is "body"

So both of them are having the same or identical data so if we filter out both the fields or any of the field then i believe we could save few amount of licenses.

So I have tried as below in my inputs.conf stanza of my wineventlog inputs but still either the Message or body field is not getting filtered out.

 

[WinEventLog://Security]
disabled = 0
suppress_text = 1

[WinEventLog://System]
disabled = 0
suppress_text = 1

[WinEventLog://Application]
disabled = 0
suppress_text = 1

If it is possible i want to filter out both the fields "body" and "Message" or atleast the body field alone so that we would be able to save some licensing.

So kindly help out with the inputs for the same.

 

 

 

Labels (2)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @anandhalagaras1 

I have replied a solution similar to your case, you can check the same here - Solved: Windows - Filtering Forwarded Events based on LogN... - Splunk Community

Let me know how you go. 

--

An upvote would be appreciated if it helps!

Tags (2)
0 Karma

anandhalagaras1
Path Finder

@venkatasri ,

Thank you for your response. But its not filtering out for particular event id but instead I want to completely remove the field before getting ingested into Splunk.

Currently I can see two fields in our Splunk console one is "body" and another one is "Message". So when i checked the information both seems to be the same.

Example of an event:

body -- >An account was logged off. Subject: Security ID: x-xx-xx-xx-xxxxxxxxx-xxxxx-xxxxxxx-xxxxx Account Name: ABCDEFGH$ Account Domain: XX Logon ID: 1w23456ewera Logon Type: 3

Message -->An account was logged off. Subject: Security ID: x-xx-xx-xx-xxxxxxxxx-xxxxx-xxxxxxx-xxxxx Account Name: ABCDEFGH$ Account Domain: XX Logon ID: 1w23456ewera Logon Type: 3

So similarly there would be another type of "body" field and the same would be in "Message" field .

So  if i remove the "body" field then we can remove the duplicate data which in turn helps to save license.

 

So kindly help to provide with the stanza so that i can test it out in inputs.conf

 

 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @anandhalagaras1 

If the both fields belongs to same event they can not be dropped to save license. There is no reference in splunk docs, alternatively you can raise a support case.

----

An upvote would be appreciated if it helps!

 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@anandhalagaras1 Alternative solution is to break the event into two different events 1 body, 1 message. If you are fully confident both having same information then you can send either body/message into nullQueue based on key-word.

---

An upvote would be appreciated if it helps!

0 Karma

anandhalagaras1
Path Finder

@venkatasri ,

 

Actually i want to send the "body" field to nullQueue. So How can I send to nullQueue do we need to write props and transforms for the same. Or should I make them stop by updating in inputs.conf kindly help me with the stanza if possible.

 

 

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@anandhalagaras1 if you still wish to proceed refer this link - Solved: Filtering events using NullQueue - Splunk Community

# props.cong setting
[your_sourcetype]
TRANSFORMS-delete = sendtonullqueue

# transforms.conf settings
[sendtonullqueue]
REGEX = <this_should_match_your_body_uniquely>
DEST_KEY=queue
FORMAT=nullQueue

#Both these settings shall be deployed to indexer/HF 

----

An upvote would be appreciated if it helps!

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@anandhalagaras1 

If your body, message are belongs to same event which means technically that's _raw field. When you send to nullQueue entire event will be lost. Yes props and transforms conf are the way forward.

refer - transforms.conf - Splunk Documentation

0 Karma

anandhalagaras1
Path Finder

Can anyone kindly help on my request please.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...