Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Window Event (Multiline) nullQueue Question

khyoung7410
Communicator
‎08-08-2019 10:57 PM

Hi
A nullQueue procedure is need in multiline data, such as in a Windows security log.
The heavy forwarder is trying to nullQueueue logs sent by a large number of universal forwarders.
If it is a name other than ComputerName=PC01 and ComputerName=PC02, I would like to send EventCode=5145 to nullQueueue.
But I have to get another EventCode.
Is there a good way?

-- example data--
08/09/2019 12:21:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=info
ComputerName=PC01

0 Karma
Reply

jawaharas
Motivator
‎08-08-2019 11:21 PM

Provided the windows events are properly parsed for multiline, you can keep specific events and discard the rest as below.

1) Edit props.conf and add the following (Modify sourcetype accordingly):

[winSecurityLog]
TRANSFORMS-set= setnull,setparsing

2) Edit transforms.conf and add the following:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = PC0[1-2]
DEST_KEY = queue
FORMAT = indexQueue

Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Routeandfilterdatad

0 Karma
Reply

khyoung7410
Communicator
‎08-09-2019 01:42 AM

It doesn't fit the above conditions.

0 Karma
Reply

jawaharas
Motivator
‎08-12-2019 09:13 PM

Is this your condition?

if (ComputerName !=PC01 AND ComputerName!=PC02 AND EventCode=5145)
then
Send_To_NullQueue
else
Send_to_IndexQueue

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security: Your Command Center for PCI DSS Compliance

Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...

Developer Spotlight with Guilhem Marchand

From Splunk Engineer to Founder: The Journey Behind TrackMe    After spending over 12 years working full time ...

Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...

The Problem: When Networks and Services Don't Talk Payment systems fail at a retail location. Customers are ...