Getting Data In

Ignoring events confusion

AaronMoorcroft
Communicator

Hi Guys

I have a quick and probabyly simple question, I needed to ignore an event for arguments sake lets call it event 123

So I created a transforms.conf and added the below -

[setnull]

REGEX = 123

DEST_KEY = queue

FORMAT = nullQueue

After restarting the Splunk service this has had the desired effect in that eventcode 123 is no longer being indexed, it stops appearing on the search at the same time that I restarted the service. To my question / confusion, in doing this it seems that the event 123 is actually also no longer being shown in the Windows event log.

1 is this correct, will the stanza that I have added stop the events being logged in the windows event viewer

2 should it not still be logged in the windows event viewer and just ignored when indexing all the other events ?

or is this just a complete coincidence and the event 123 has just resolved itself at the exact same time as I was working on ignoring that particular event.

Cheers Guys

0 Karma
1 Solution

Jeff_Lightly_Sp
Communicator

This has to be coincidence as this is simply a filter of what gets indexed, not what is logged as an event on a server(s).

View solution in original post

Jeff_Lightly_Sp
Communicator

This has to be coincidence as this is simply a filter of what gets indexed, not what is logged as an event on a server(s).

AaronMoorcroft
Communicator

Thanks for the quick response, I was hoping that was the case but I needed to be sure, thanks for the info.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...