Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows Events filtering

only4luca
New Member
‎10-13-2012 12:01 PM

Hi All,

Trying to filter on Win Sec events, dropping events that don't have particular eventids and Account Name contains $ (computer accounts)
Currently I have something like this in my transforms.conf:

[eventsallowed]
... = (?m)^EventCode=(4624|4625).Account Name:^((?!\$).)*$

this doesn't work. Dropping the Account Name: ... forwards the events correctly. The reg also seems to be fine for the account name, so not sure what i'm doing wrong.
Any ideas?

Thanks,
Luca

Tags (1)
0 Karma
Reply

Lord_Middleton
New Member
‎02-22-2013 11:45 AM

Nope- trying to get it running on the main Splunk instance- sorry for the delay... been busy on other projects.

0 Karma
Reply

Ayn
Legend
‎01-30-2013 02:45 PM

If you're trying to do this on a Universal Forwarder, that won't work. Filtering can only be performed on Splunk instances that perform parsing (basically, most instances except Universal Forwarders).

0 Karma
Reply

Lord_Middleton
New Member
‎01-30-2013 02:29 PM

Did you end up figuring out what the issue was? I am working on the same task and have been bashing my head against it for a little while now...

0 Karma
Reply

MarioM
Motivator
‎10-14-2012 11:40 AM

have you tried with (?msi) instead of (?m) ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...