I was able to successfully filter events using the lines below in props.conf and transform.conf. Has anyone filtered using another field of the same event? I want to filter by EventCode and Account_Name. We have one particular account that we expect to generate a high number of these events but we are interested in the others. Is this just a matter of modifying the same REGEX line?
props.conf:
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull
Note: In pre-4.2.x versions of Splunk, you must use [wmi] as the sourcetype in order to send events to nullQueue.
transform.conf
[wminull]
REGEX=(?m)^EventCode=(4662)
DEST_KEY=queue
FORMAT=nullQueue
Yes, when using transforms you can filter on anything you can match with regex. (this happens on your indexers unless you are using heavy forwarders)
Side note: in the scenario that you are only filtering based on the Windows code, see the following article on how to filter Windows codes directly on the Universal Forwarder.
http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
You may want to paste a sample event here if you need help with the regex.
Thanks for the feedback. I have a REGEX that should work but now it's not filtering any 4662 events so the REGEX is not matching anything in Splunk.
REGEX=(?m)^EventCode=(4662)\n([\s\S]*?)(Account Name:\s+MyADUser)
What am I missing? Anyone?
Slashes were removed from the REGEX in the last post
(?m)^EventCode=(4662)\n([\s\S]*?)(Account Name:\s+watchguard)
Please help me out how to create REGEX for the below list of event codes in transforms.conf
i want to index only this event code data to SPLUNK Cloud
4768-4777,4820,4720,4722-4735,4737-4767,4780-4794,4797-4799
5328,5348,5349
7837
props.conf
[WinEventLog:Security]
TRANSFORMS=null-queue
transforms.conf
[null-queue]
REGEX=
DEST_KEY=queue
FORMAT=nullQueue