Getting Data In

How to filter inputs.conf whitelist content for Windows event logs?



I configured an audit on a folder on Windows. Now I want to send it to my Splunk Server, but there are many file audits configured by the system itself (file access in System32...) and I'm not interested by these logs.

So I need more than the eventID filter on the whitelist option of inputs.conf

How can I do that, for example by checking the content of the log and only send it if it contains C:\MyFolder?


0 Karma


You'll want to do this with a props.conf and transforms.conf. Things get slightly more complex if you want to filter everything and only include some things (such as C:\MyFolder). You'll also probably add a lot of additional processing in Splunk that isn't necessary. If it's the case that you only want to audit a specific folder, you might want to configure that auditing specifically inside the OS.

If you want to just filter out some folders (such as System32), you could setup a props.conf and transforms.conf like the following. You can also duplicate these for additional folders that you want to filter.


 TRANSFORMS-FilterEvent = FilterEventSystem32


DEST_KEY = queue
FORMAT = nullQueue

If you can send a sample event you'd like to filter out I can be more specific with a Regex.



Finally, custom view configuration is rather limited and I'm not even sure I can do what I want, ie filtering ObjectName field.
So I have just followed your advice on Splunk with transforms.conf and props.conf configuration.

Even if I thought that was the "dirty way", after filtering "Object Name C:*" (even C:\Windows should be almost perfect) I don't receive any logs from the chatty Windows.

If you want to do the same, honestly, don't lose your time searching weird Windows configuration and just filter any chatty folder.

It is finally quite easy and powerful.

Thank's for all

0 Karma


That's awesome news I'm glad you got it working! Let me know if you have any other questions around this

0 Karma


Thank's for your reply.
Actually, my idea was to include only the events which concern this folder, with no restriction about the type of events (read, modification attempt, deletion ...).

There is no specific format for stored files, the only condition is the path "C:\Myfolder*" (or C:\Myfolder*).
Is it possible to exclude a drive?
This way I could just set my folder as a shared network drive (and exclude any other drive).

You're right about the OS configuration, I have started configuring Windows logs with the Advanced XML Filtering, it is a bit tedious but this should work.

About that, do you know if it possible to forward Windows logs of a customised View, which filters logs, in the same way than ordinary logs (I mean [Winevent://MyView] in inputs.conf for example).

0 Karma


I believe you should be able to use a custom view. Try this and see if it's what you're looking for?

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...