I have a Splunk central indexer on rhel5.5 and a forwarder (not LWF) on a Server 2008 VM. Currently I am forwarding all of WinEventLog:Security, and want to not index EventCode=566.
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-null= setnull
transforms.conf
[setnull]
REGEX ="(?m)^EventCode=566"
DEST_KEY = queue
FORMAT = nullQueue
Currently these files exist in $SPLUNK_HOME/etc/system/local on the indexer, but I am still seeing results for EventCode=566 in search.
What am I doing wrong?
BEWARE : On recent versions of the windows app, the sourcetype for windowsevents has changed, so should change the props.conf
please try then both, or use them both if you have a mix of forwarder's versions to cover them all.
UPDATE splunk 6.*
Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.
see
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
example:
[WinEventLog:Security]
disabled = 0
blacklist=566,800-850
BEWARE : On recent versions of the windows app, the sourcetype for windowsevents has changed, so should change the props.conf
please try then both, or use them both if you have a mix of forwarder's versions to cover them all.
You shouldn't have the double-quotes ("
) around your REGEX, since they aren't in the data:
REGEX = (?m)^EventCode=566