Re: Window Event (Multiline) nullQueue Question

khyoung7410 · ‎08-08-2019

Hi
A nullQueue procedure is need in multiline data, such as in a Windows security log.
The heavy forwarder is trying to nullQueueue logs sent by a large number of universal forwarders.
If it is a name other than ComputerName=PC01 and ComputerName=PC02, I would like to send EventCode=5145 to nullQueueue.
But I have to get another EventCode.
Is there a good way?

-- example data--
08/09/2019 12:21:21 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5145
EventType=0
Type=info
ComputerName=PC01

jawaharas · ‎08-08-2019

Provided the windows events are properly parsed for multiline, you can keep specific events and discard the rest as below.

1) Edit props.conf and add the following (Modify sourcetype accordingly):

[winSecurityLog]
TRANSFORMS-set= setnull,setparsing

2) Edit transforms.conf and add the following:

[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[setparsing]
REGEX = PC0[1-2]
DEST_KEY = queue
FORMAT = indexQueue

Reference:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Forwarding/Routeandfilterdatad

khyoung7410 · ‎08-09-2019

It doesn't fit the above conditions.

jawaharas · ‎08-12-2019

Is this your condition?

if (ComputerName !=PC01 AND ComputerName!=PC02 AND EventCode=5145)
then
Send_To_NullQueue
else
Send_to_IndexQueue

Window Event (Multiline) nullQueue Question

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio