Hello.
I would like sort the data from Windows Security log, but some reason still passed to all the data in Splunk server.
In directory /splunk/etc/system/local/ I have created two files:
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull
transforms.conf
[wminull]
REGEX=(?m)^EventCode=(528|529|538|540|602|608|609|612|624|628|629|630|631|632|633|634|635|636|637|638|639|642|645|647|668)
DEST_KEY=queue
FORMAT=nullQueue
But still in addition EventCode from transforms.conf in Splunk i can see another EventCode.
Maybe someone did a similar sort and can share their code examples or point out my mistakes.
Thanks!
Hello,
Your question is itself the answer :). Universal forwarder will not filter your data through props/transforms.conf. It should be placed on the indexer. in Splunk 6 there are options to specify which one actually you want to forward but you need to filter the
_http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
if you really need to filter from forwarder use a heavy forwarder. You will several examples of it how to do in splunkbase.
Thanks
Hello,
Your question is itself the answer :). Universal forwarder will not filter your data through props/transforms.conf. It should be placed on the indexer. in Splunk 6 there are options to specify which one actually you want to forward but you need to filter the
_http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
if you really need to filter from forwarder use a heavy forwarder. You will several examples of it how to do in splunkbase.
Thanks
Hmm well it's true.
Thank you opened my eyes to this problem.
Read the article and try to solve this problem!