[drop4768OK] REGEX = EventCode=4768(.|\t|\r|\n)*Result.*Code.*0x0 DEST_KEY = queue FORMAT = nullQueue
[source::WinEventLog:Security] TRANSFORMS-set = drop4768OK
After a reboot, events with Event Code 4768 and Result Code 0x0 are still being indexed. What am I doing wrong?
You shouldn't be putting stuff in
$SPLUNK_HOME/etc/system/local; you should be creating your own app based on either the sourcetype or the splunk-node type (e.g. Indexer). In any case, if you are doing a sourcetype override/overwrite, you must use the ORIGINAL values NOT the new value (you are not, so that's not your problem), then you must deploy this to the first full instance(s) of Splunk that handles the events (usually either the HF-tier, if you use that, or your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using indexearliest=-5m to be absolutely certain that you are only examining the newly indexed events. I think that last bit is your problem.
Alright. I've never seen this recommended in the 2 years I've worked with Splunk Engineers, Splunk Answers, or Splunk Support. Unless it's specifically related to certain config changes?
Could you provide a few sample events containing both; events you'd like to keep and events you'd like to discard?
The events have to meet both criteria? i.e. Event code AND result code?