[drop4768OK] REGEX = EventCode=4768(.|\t|\r|\n)*Result.*Code.*0x0 DEST_KEY = queue FORMAT = nullQueue
[source::WinEventLog:Security] TRANSFORMS-set = drop4768OK
After a reboot, events with Event Code 4768 and Result Code 0x0 are still being indexed. What am I doing wrong?
First of all, you should have a better RegEx, like
^EventCode=4768[\S\s\r\n]+Result\s*Code:\s+0x0\D. Even so, yours should work. I would try using a
sourcetype-based stanza header, instead of your
source-based one. Again, what you have should work but since it isn't, let's try something else.
Could you provide a few sample events containing both; events you'd like to keep and events you'd like to discard?
The events have to meet both criteria? i.e. Event code AND result code?
You shouldn't be putting stuff in
$SPLUNK_HOME/etc/system/local; you should be creating your own app based on either the sourcetype or the splunk-node type (e.g. Indexer). In any case, if you are doing a sourcetype override/overwrite, you must use the ORIGINAL values NOT the new value (you are not, so that's not your problem), then you must deploy this to the first full instance(s) of Splunk that handles the events (usually either the HF-tier, if you use that, or your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using _index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events. I think that last bit is your problem.