Getting Data In

WinEventLog filtering EventCode

Path Finder

I have a Splunk central indexer on rhel5.5 and a forwarder (not LWF) on a Server 2008 VM. Currently I am forwarding all of WinEventLog:Security, and want to not index EventCode=566.


TRANSFORMS-null= setnull


REGEX ="(?m)^EventCode=566"
DEST_KEY = queue
FORMAT = nullQueue

Currently these files exist in $SPLUNK_HOME/etc/system/local on the indexer, but I am still seeing results for EventCode=566 in search.

What am I doing wrong?

Tags (1)
0 Karma

Re: WinEventLog filtering EventCode


You shouldn't have the double-quotes (") around your REGEX, since they aren't in the data:

REGEX = (?m)^EventCode=566

Re: WinEventLog filtering EventCode

Ultra Champion

BEWARE : On recent versions of the windows app, the sourcetype for windowsevents has changed, so should change the props.conf

  • [wmi] in splunk 4.1
  • [WMI:WinEventLog:Security] in 4.2

please try then both, or use them both if you have a mix of forwarder's versions to cover them all.

View solution in original post


Re: WinEventLog filtering EventCode

Ultra Champion

UPDATE splunk 6.*
Since this version you can actually specify a list or range of eventCodes to exclude at the forwarder level, in inputs.conf. It will reduce the volume at the forwarder level and reduce the network load.



disabled = 0

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.