Re: Window Event (Multiline) nullQueue Question

khyoung7410 · ‎08-08-2019

Hi
A nullQueue procedure is need in multiline data, such as in a Windows security log.
The heavy forwarder is trying to nullQueueue logs sent by a large number of universal forwarders.
If it is a name other than ComputerName=PC01 and ComputerName=PC02, I would like to send EventCode=5145 to nullQueueue.
But I have to get another EventCode.
Is there a good way?

-- example data--
08/09/2019 12:21:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=info
ComputerName=PC01

jawaharas · ‎08-08-2019

Provided the windows events are properly parsed for multiline, you can keep specific events and discard the rest as below.

1) Edit props.conf and add the following (Modify sourcetype accordingly):

[winSecurityLog]
TRANSFORMS-set= setnull,setparsing

2) Edit transforms.conf and add the following:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = PC0[1-2]
DEST_KEY = queue
FORMAT = indexQueue

Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Routeandfilterdatad

khyoung7410 · ‎08-09-2019

It doesn't fit the above conditions.

jawaharas · ‎08-12-2019

Is this your condition?

if (ComputerName !=PC01 AND ComputerName!=PC02 AND EventCode=5145)
then
Send_To_NullQueue
else
Send_to_IndexQueue

Window Event (Multiline) nullQueue Question

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation