Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you filter Windows:Security:Events: 5145 using use transforms.conf and props.conf?

rfrazier
New Member
‎06-01-2015 02:02 PM

I am trying to filter Windows:Security:Events: 5145. I created the props.conf and the transforms.conf file listed below. I have it in a app called all_indexers which gets push to all indexers. The props.conf and the transforms.conf files are in the /all_indexers/local/ directory on each of the indexers. Some thing is amiss, but I can't seem to find it.

Contents of the transforms.conf

Filter Widows Security Events: 5145

[nullFilter-5145]
REGEX=(EventCode=5145)
DEST_KEY=queue
FORMAT=nullQueue

Contents of the props.conf

[source::WinEventLog:Security]
TRANSFORMS-nullQ=nullFilter-5145

0 Karma
Reply

bohrasaurabh
Communicator
‎06-01-2015 02:15 PM

in props.conf try stanza as

[source::*:Security]

in transforms you might have to change REGEX as

REGEX = (EventCode)=(5145)

0 Karma
Reply

rfrazier
New Member
‎06-02-2015 07:55 AM

I made the changes to transforms.conf and props.conf. These conf files are in $SPLUNKHOME/etc/apps/all_indexers/local.

Should these files be in $SPLUNKHOME/etc/system/local/ on each of the indexers instead?

0 Karma
Reply

bohrasaurabh
Communicator
‎06-02-2015 10:22 AM

This should be actually done within the Windows TA's local directory and then deployed to all Index servers. The location on the index server should be $SPLUNKHOME/etc/apps/{Windows_TA_NAME}/local.

If you have deployment server, then use that to deploy.

0 Karma
Reply
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...