I have a Splunk central indexer on rhel5.5 and a forwarder (not LWF) on a Server 2008 VM. Currently I am forwarding all of WinEventLog:Security, and want to not index EventCode=566.
[WMI:WinEventLog:Security] TRANSFORMS-null= setnull
[setnull] REGEX ="(?m)^EventCode=566" DEST_KEY = queue FORMAT = nullQueue
Currently these files exist in $SPLUNK_HOME/etc/system/local on the indexer, but I am still seeing results for EventCode=566 in search.
What am I doing wrong?
BEWARE : On recent versions of the windows app, the sourcetype for windowsevents has changed, so should change the props.conf
please try then both, or use them both if you have a mix of forwarder's versions to cover them all.
UPDATE splunk 6.*
Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.
disabled = 0