Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- UniversalForwarder does not filter data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
I would like sort the data from Windows Security log, but some reason still passed to all the data in Splunk server.
In directory /splunk/etc/system/local/ I have created two files:
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminulltransforms.conf
[wminull]
REGEX=(?m)^EventCode=(528|529|538|540|602|608|609|612|624|628|629|630|631|632|633|634|635|636|637|638|639|642|645|647|668)
DEST_KEY=queue
FORMAT=nullQueue
But still in addition EventCode from transforms.conf in Splunk i can see another EventCode.
Maybe someone did a similar sort and can share their code examples or point out my mistakes.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Your question is itself the answer :). Universal forwarder will not filter your data through props/transforms.conf. It should be placed on the indexer. in Splunk 6 there are options to specify which one actually you want to forward but you need to filter the
_http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
if you really need to filter from forwarder use a heavy forwarder. You will several examples of it how to do in splunkbase.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Your question is itself the answer :). Universal forwarder will not filter your data through props/transforms.conf. It should be placed on the indexer. in Splunk 6 there are options to specify which one actually you want to forward but you need to filter the
_http://blogs.splunk.com/2013/10/14/windows-event-logs-in-splunk-6/
if you really need to filter from forwarder use a heavy forwarder. You will several examples of it how to do in splunkbase.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm well it's true.
Thank you opened my eyes to this problem.
Read the article and try to solve this problem!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
