Hi,
I've installed splunk forwarder(regular) on windows server and trying to filter off certain events when sending to splunk indexer. Here is my sample configuration:
props.conf
[WinEventLog:Security]
TRANSFORMS-null = setnull
transform.conf
[setnull]
REGEX = (?m)^EventCode=(540|673|861)\b
DEST_KEY = queue
FORMAT = nullQueue
Splunk services were stopped while I'm editing the files and enabled after.The configuration was done on the forwarder itself.I did a search where "host=serverA EventCode=540" and I still see the events.
Any idea?
This is working for me now..although there isn't much difference than the previous but here goes:
[setnull]
REGEX = (?msi)^EventCode=(540|673|861)\b
DEST_KEY = queue
FORMAT = nullQueue
I monitored the events after ive made the changes and still see them
This is working for me now..although there isn't much difference than the previous but here goes:
[setnull]
REGEX = (?msi)^EventCode=(540|673|861)\b
DEST_KEY = queue
FORMAT = nullQueue
Is this LightWeightForwarder(LWF) or a regular forwarder? If this is LightWeightForwarder, this may not work as data is not not parsed into individual events in LWF.
Am using a regular forwarder
Just making sure : When you say "I still see the events", are you referring to events that were indexed before you made your changes?