I have a bunch of light forwarders sending data to a central heavy forwarder which sends the data to the main indexer.
This is my props.conf
and transforms.conf
located on the central heavy forwarder. The light forwarders and main indexer do not have a props.conf
or transforms.conf
.
Is this correct and/or what am I doing wrong and is there a more efficient way to do this?
Thanks.
props.conf
(located %SPLUNK_HOME\etc\system\local\props.conf
)
[wmi]
TRANSFORMS-wmi=wminull
transforms.conf
(located %SPLUNK_HOME\etc\system\local\transforms.conf
)
[wminull]
REGEX=(?m)^Process_Name="C:\\Winpds\\Prismexe\\netman.exe"
DEST_KEY=queue
FORMAT=nullQueue
[wminull]
REGEX=(?m)^Process_Name="C:\\Program*\\Symantec\\Symantec*Endpoint*Protection\\Rtvscan.exe"
DEST_KEY=queue
FORMAT=nullQueue
I think i found it. There is a "." in the REGEX
. I needed to put a backslash "\" before the "." So the lines should have been:
REGEX=(?m)^Process_Name="C:\\Winpds\\Prismexe\\netman\.exe"
REGEX=(?m)^Process_Name="C:\\Program*\\Symantec\\Symantec Endpoint Protection\\Rtvscan\.exe"
Did I mention that I'm new to this whole REGEX
thing?
I was completely off!
Process_Name
can't be used (unless I want to get really hard core in editing other conf files)
Here is the working config:
props.conf
[WinEventLog:Security]
TRANSFORMS-null = setnull
transforms.conf
[setnull]
REGEX=(?msi)^EventCode=(520.*netman\.exe|4656.*rtvscan\.exe)
DEST_KEY=queue
FORMAT=nullQueue
I was completely off!
Process_Name
can't be used (unless I want to get really hard core in editing other conf files)
Here is the working config:
props.conf
[WinEventLog:Security]
TRANSFORMS-null = setnull
transforms.conf
[setnull]
REGEX=(?msi)^EventCode=(520.*netman\.exe|4656.*rtvscan\.exe)
DEST_KEY=queue
FORMAT=nullQueue
I think i found it. There is a "." in the REGEX
. I needed to put a backslash "\" before the "." So the lines should have been:
REGEX=(?m)^Process_Name="C:\\Winpds\\Prismexe\\netman\.exe"
REGEX=(?m)^Process_Name="C:\\Program*\\Symantec\\Symantec Endpoint Protection\\Rtvscan\.exe"
Did I mention that I'm new to this whole REGEX
thing?
I even used the msi
option.
bump! Help? Anyone?
Never mind. It still doesn't work!
Yes, this is right. Please see: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F for more about where to configure parsing settings.
I don't think my syntax is correct though. These events are still being forwarded to the central indexer.