Getting Data In

How do I go about filtering data with transform.conf?


I am using universal forwarders installed on my domain controllers, and I am successfully filtering specific events (props.conf and transform.conf are show below). This is working as we want it to work, and the data is being indexed into "SecEvents".

I want to add a new server and index into the same index (SecEvents); however, the list of event IDs are different. How can I filter from multiple sources? I've tried adding the host into the REGEX in the transform - but nothing I've tried works.

For the sake of simplicity - let's just say I want events 1000 and 2000 from the "new server", and I want them to drop into the SecEvents index.

Thanks for your help!

Contents of props.conf

TRANSFORMS-security = events-null, events-filter

Contents of transform.conf

DEST_KEY = queue
FORMAT = nullQueue

#The last 3...may generate a for them
DEST_KEY = queue
FORMAT = indexQueue
0 Karma

Splunk Employee
Splunk Employee

hi @ksbuchanan

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma


Why not filter at the universal forwarder level ? Refer to blog post Controlling 4662 Messages in the Windows Security Event Log or to Monitor Windows event log data in particular the whitelist/blacklist section

Alerts for Splunk Admins
Version Control for Splunk
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.