Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I go about filtering data with transform.conf?

ksbuchanan
Explorer
‎10-19-2018 01:22 PM

I am using universal forwarders installed on my domain controllers, and I am successfully filtering specific events (props.conf and transform.conf are show below). This is working as we want it to work, and the data is being indexed into "SecEvents".

I want to add a new server and index into the same index (SecEvents); however, the list of event IDs are different. How can I filter from multiple sources? I've tried adding the host into the REGEX in the transform - but nothing I've tried works.

For the sake of simplicity - let's just say I want events 1000 and 2000 from the "new server", and I want them to drop into the SecEvents index.

Thanks for your help!

Contents of props.conf

[WinEventLog:Security]
TRANSFORMS-security = events-null, events-filter

Contents of transform.conf

[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[events-filter]
#The last 3...may generate a lot...watch for them
REGEX=(?m)^EventCode=(4720|4722|4724|4725|4726|4727|4728|4729|4730|4731|4732|4733|4734|4735|4737|4740|4741|4743|4744|4745|4746|4747|4748|4749|4750|4751|4752|4753|4754|4755|4756|4757|4758|4759|4760|4761|4762|4763|4767|4771|4723|4625|6272|6273|6278)
DEST_KEY = queue
FORMAT = indexQueue
0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎10-22-2018 03:55 PM

hi @ksbuchanan

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎10-19-2018 03:05 PM

Why not filter at the universal forwarder level ? Refer to blog post Controlling 4662 Messages in the Windows Security Event Log or to Monitor Windows event log data in particular the whitelist/blacklist section

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...