- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to filter out Windows events logs based on wor...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to filter out specific windows event log that's Id=0 😞
This is the event:
ERROR 2015-07-12 13:11:31,270 There is no security-data for the current context.. Occured in method:"Register", in process:"w3wp"
Stack trace:
at iFOREX.Security.Context.SecurityDataProvider.AssertExists() in d:\BuildAreas\RelFxnet3\FX3-81\Source\iFOREX Framework\iFOREX.Security\iFOREX.Security\Context\SecurityDataProvider.cs:line 26
at iFOREX.Clients.Web.Classes.AppGlobal.get_SecurityToken() in d:\BuildAreas\RelFxnet3\FX3-81\Source\iFOREX Framework\IFOREX.Clients\iFOREX.Clients.Web\BaseClasses\AppGlobal.cs:line 212
at iFOREX.Clients.Web.Common.Utils.SecurityHelper.CheckSecurity(String checkSecurityParam, HttpSessionState session) in d:\BuildAreas\RelFxnet3\FX3-81\Source\iFOREX Framework\IFOREX.Clients\iFOREX.Clients.Web\Common\Utils\SecurityHelper.cs:line 55
at iFOREX.Clients.Web.Common.Utils.SecurityHelper.CheckSecurity(HttpContext context) in d:\BuildAreas\RelFxnet3\FX3-81\Source\iFOREX Framework\IFOREX.Clients\iFOREX.Clients.Web\Common\Utils\SecurityHelper.cs:line 42
at iFOREX.Clients.Web.Handlers.ClientState.OnProcessRequest(HttpContext context) in d:\BuildAreas\RelFxnet3\FX3-81\Source\iFOREX Framework\IFOREX.Clients\iFOREX.Clients.Web\Handlers\ClientState\ClientState.ashx.cs:line 64
What I tried:
props.conf:
[WMI:Applications]
TRANSFORMS-wmi=wminull1
transforms.conf:
[wminull1]
REGEX = There is no security-data for the current context
DEST_KEY=queue
FORMAT=nullQueue
But I can't seem to make it work and have Splunk not index this event.
Can anyone please help?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The issue was solved by using the following regex:
REGEX = (?ms)There is no security-data for the current context
Thanks for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The issue was solved by using the following regex:
REGEX = (?ms)There is no security-data for the current context
Thanks for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, the text was split across multiple lines inside a multi-line event. That explains it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My guess is that you have extra whitespace which you are not noticing; have you tested your RegEx against actual log messages? If you can't/won't, then try this and see if it works:
REGEX = There\s+is\s+no\s+security\s*-\s*data\s+for\s+the\s+current\s+context
Bad RegEx is the only thing that makes sense if you are certain that you have checked everything else already mentioned.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does your original RegEx work in the search bar, too? Where exactly did you put your props.conf and transforms.conf files? Did you spell the filenames correctly?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I haven't tried it with the original regex just with this one: There\s+is\s+no\s+security\s*-\s*data\s+for\s+the\s+current\s+context
So in the search line, if I enter: sourcetype="WMI:WinEventLog:Applications" | regex There\s+is\s+no\s+security\s*-\s*data\s+for\s+the\s+current\s+context
It seems to work and I do see the events
Now, want i want to filter them out and have Splunk not index them, i use:
Props.conf:
[WMI:WinEventLog:Applications]
TRANSFORMS-wmi = WinSecEvents-null
Transforms.conf:
[WinSecEvents-null]
REGEX = There\s+is\s+no\s+security\s*-\s*data\s+for\s+the\s+current\s+context
DEST_KEY=queue
FORMAT=nullQueue
And these doesn't seems to work. no matter what, Splunk keep indexing them and i See new entries.
thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
if I use the regex There\s+is\s+no\s+security\s*-\s*data\s+for\s+the\s+current\s+context on the search line it works but if not on the transforms.conf
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
if I use the regex There\s+is\s+no\s+security\s*-\s*data\s+for\s+the\s+current\s+context on the search line it works but if not on the transforms.conf
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure that...
- your sourcetype matches
WMI:Applicationsexactly - you set this on the indexers or heavy forwarders
- you restart the instances you set this on
- there are no configuration errors during restart
- you're looking at newly indexed data and not old data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Martin, Thanks for your reply.
I checked all you wrote and it's not the issue.
Am I using the right regex to filler out this event and have Splunk not index it?
Thanks
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
