Getting Data In
Highlighted

How to prevent the indexing of message field in the windows eventlog sourcetype?

Path Finder

I've searched everywhere but all solutions seem workaround, can someone can suggest the best way to prevent the indexing of message field in the windows eventlog sourcetype?
I want to apply the same method to my firewall syslog messages, in other words, I want to remove the unnecessary field from events before it's indexed.

0 Karma
Highlighted

Re: How to prevent the indexing of message field in the windows eventlog sourcetype?

SplunkTrust
SplunkTrust

hello there,
quick search in this portal bring this great answer:
https://answers.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008...
also i remember there are more, and i am positive i read a splunk blog about it.
in general, what you are looking for called "route and filter data" read here:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad
here is an example of how to remove the message from Windows EventCode 4624 (logon)
props.conf:

[WinEventLog:Security]
TRANSFORMS-shorten = shorten4624

transforms.conf

[shorten4624]
REGEX = (?ms)(.*EventCode=4624.*)This event is generated when a logon session
DEST_KEY = _raw
FORMAT = $1

hope it helps

0 Karma
Highlighted

Re: How to prevent the indexing of message field in the windows eventlog sourcetype?

Path Finder

thank you Adonio but i want to discard ENTIRE filend and not a part of it, as i wrote i need to apply the same method on other source type, for example a firewall events in syslog ... i need to keep only 4 filed from the original 21 ...

0 Karma
Highlighted

Re: How to prevent the indexing of message field in the windows eventlog sourcetype?

SplunkTrust
SplunkTrust

not sure if you wanted to comment on my answer or answer yourself.
here is the link for the article you are looking for:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Discard_specific_ev...
please read in detail. also, tons of answers here about it. look for nullqueue or discard
hope it helps
p.s. my answer above discards the "entire" message field and not part of it. you can use the same method to all your fields.
p.s. assuming the only fields you want from your firewall are let say: time, source, destination and action, i would probably have the firewall write only these values to the message and save also the load on your syslog server...

0 Karma