Getting Data In

How to filter out or send to a null queue windows event logs with universal forwarder 6.x?

Engager

i'm using UF6 and I want to filter out or send to a null queue uninteresting Windows events with UF6.

0 Karma

Contributor

we can filetr the unwanted traffic to be dropped by moving them to nullQueue.

props.conf:
[source::....log...]
TRANSFORMS-debug_log = debug_log_transform

in transforms.conf:
[debug_log_transform]
REGEX=
DEST_KEY = queue
FORMAT = nullQueue

so the respective matched REGEX data will not be indexed and therefore it will not affect our license limit too.
http://docs.splunk.com/Documentation/Splunk/6.1.3/Forwarding/Routeandfilterdatad

0 Karma

Contributor

Besides routing to receivers, forwarders can also filter and route data to specific queues or discard the data altogether by routing to the null queue.
http://docs.splunk.com/Documentation/Splunk/6.1.3/Forwarding/Routeandfilterdatad

0 Karma

Explorer

this only works on an indexer not on an UF as stated in the question

0 Karma

SplunkTrust
SplunkTrust

Hi liquid,

take a look at the docs Use_the_Security_event_log_to_monitor_changes_to_files this will provide examples on how to blacklist certain windows event log entries by event code.

also good to read: http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

hope this helps ...

cheers, MuS