Hello there,
I´m Portuguese and i´m trying to learn how to filter windows data but i do not know.
Example: if i want only check a service or who log in my machine how i block all the other information?
In a enterprise the 500 mgs free will expire in only 5 min.
In the next example how can i say that i want or that i do not want to index with information?
I have to create a props.conf?
If i gotta create where i gotta create that file? splunk? c:program files splunk etc?
Is by CLI?
Is on Dos command line?
Is ON "manager"?
LogName=SystemSourceName=Microsoft-Windows-Service Control ManagerEventCode=7036EventType=4Type=InformationComputerName=teste-PCTaskCategory=The operation completed successfully.OpCode=The operation completed successfully.RecordNumber=27001
Many Thanks
JV
I've found that it's helpful to have a Regular Expression cheat sheet handy when doing this type of work. There is a really snazzy tool that the people (maybe person) at gskinner have built:
http://gskinner.com/RegExr/
It's a Flash application that will allow you to test any number of Regular Expressions on given text. There is even a standalone one written in AIR which is nice if you're traveling and not near a net connection.
I'm still trying to get the hang of the transforms and props, however it seems to me that the title of the stanzas are up to the user as long as they are consistent. (please, some one who knows better confirm this)
(?m) optionally matches m
and (?msi) optionally matches msi
Also, the props.conf spec document is available at:
http://docs.splunk.com/Documentation/Splunk/5.0.1/admin/Propsconf
Thank you for the answer.
I solved this way,
props.conf
[WinEventLog:Application]
TRANSFORMS-wmi = setnull
transforms.conf
[setnull]
REGEX =(?msi)^EventCode=(4101)
DEST_KEY=queue
FORMAT = nullQueue
Can you tell me what is the diference between REGEX = (?m) and (?msi)? and the diference between winnull and setnull i do not know neither but i got it working.
You've made a mistake in your implementation, specifically in your props.conf entry by calling a sourcetype field that doesn't match the sourcetype field assigned to the events, causing a miss. It should look like this, based on what I've seen of your configuration:
[WinEventLog:Application]
TRANSFORMS-wmi=wminull
Your transform looks fine to me, I don't think it should be changed.
why i got -1 in a question?
Good morning,
i have my conf files like this, saved in a new text file.
See please.
http://imageshack.us/photo/my-images/407/transforms.png/
http://imageshack.us/photo/my-images/525/props.png/
The source field is Application is correct because in windows the system logon come to splunk in source field "application)
tell me one thing, i gotta put this two files props and transform in forwarder or in indexer? Forwarder Windows 7, Indexer is Centos Linux (i got it, it is in forwarder)
And the files i can create like a txt file? (Ok i tried and i got it, yes a text file)
And should save like txt file? (Yes)
By the way i´m trying to exclude this.
"
04/05/2012 12:26:51 PM
LogName=ApplicationSourceName=Microsoft-Windows-Winlogon
EventCode=4101
EventType=4
Type=Information
ComputerName=joaovaladas-PC
TaskCategory=None
OpCode=None
RecordNumber=189997
Keywords=Classic
Message=Windows license validated.
sourcetype=WinEventLog:Application Options|
source=WinEventLog:Application Options
"
Many Thanks
JV
Ok, i have something that looks like that.
I have copied my props.conf and transforms.conf from C:\Program Files\Splunk\etc\system\default
to C:\Program Files\Splunk\etc\system\local
i should create new ones?
in the end i have written this:
props.conf
[WMI:WinEventLog:Application]
TRANSFORMS-wmi=wminull
saved and in transform.conf i have written this:
[wminull]
REGEX=(?m)^EventCode=(4101)
DEST_KEY=queue
FORMAT=nullQueue
The number 4101 its the Event number to when you make a LOGON.
I Saved in Indexer but when i got to "Search" i still receive that log.
Why can you tell me?
Many Thanks.
JV
In props.conf, you're telling Splunk you want it to act on the sourcetype field with the stanza you've used. That means that the sourcetype field must match exactly what you've got in props. Can you confirm that 'WMI:WinEventLog:Application' is exactly what you see in the sourcetype field for one of these events? If no, you should change it to whatever you see there exactly.
I answered something similar just recently;
http://splunk-base.splunk.com//answers/44352/how-to-only-forward-windows-security-logs
It's rather long with lots of comments, but if you know how to get data into the indexer, you will probably understand it. That particular example deals with Security logs, but you could change that to System, if those are the events you want.
You create your props.conf and transforms.conf with a normal text editor.
In props.conf you should create a stanza with the same name as your sourcetype, in this case something like [WinEventLog:Application]
, but you have to make sure that you have the correct one.
There you will need to reference a transforms.conf stanza like this:
in props.conf
[WinEventLog:Application]
TRANSFORMS-blahbaha = windelete, winkeep
in transforms.conf you need to create two stanzas - windelete and winkeep, and under each you will need to form a regex, and what to do with matching events;
in transforms.conf
[windelete]
REGEX = (?m).
DEST_KEY = queue
FORMAT = nullQueue
[winkeep]
REGEX = (?m)^EventCode=(4104|9999|666)
DEST_KEY = queue
FORMAT = indexQueue
This will result in only keeping events that match EventCode=4104 or EventCode=9999 or EventCode=666.
Hope this helps,
Kristian