Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I go about filtering data with transform.conf?

ksbuchanan
Explorer
‎10-19-2018 01:22 PM

I am using universal forwarders installed on my domain controllers, and I am successfully filtering specific events (props.conf and transform.conf are show below). This is working as we want it to work, and the data is being indexed into "SecEvents".

I want to add a new server and index into the same index (SecEvents); however, the list of event IDs are different. How can I filter from multiple sources? I've tried adding the host into the REGEX in the transform - but nothing I've tried works.

For the sake of simplicity - let's just say I want events 1000 and 2000 from the "new server", and I want them to drop into the SecEvents index.

Thanks for your help!

Contents of props.conf

[WinEventLog:Security]
TRANSFORMS-security = events-null, events-filter

Contents of transform.conf

[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[events-filter]
#The last 3...may generate a lot...watch for them
REGEX=(?m)^EventCode=(4720|4722|4724|4725|4726|4727|4728|4729|4730|4731|4732|4733|4734|4735|4737|4740|4741|4743|4744|4745|4746|4747|4748|4749|4750|4751|4752|4753|4754|4755|4756|4757|4758|4759|4760|4761|4762|4763|4767|4771|4723|4625|6272|6273|6278)
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎10-22-2018 03:55 PM

hi @ksbuchanan

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-19-2018 03:05 PM

Why not filter at the universal forwarder level ? Refer to blog post Controlling 4662 Messages in the Windows Security Event Log or to Monitor Windows event log data in particular the whitelist/blacklist section

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...