Hello,
I'having some problem when filtering standard Windows events. My goal is to send the events coming from my UFs to two different indexes based on the users. If the user ends with ".adm" the index should be index1, otherwhise index2. Here is my regex for filtering https://regex101.com/r/PsEHIp/1
I put it in inputs.conf
###### OS Logs ######
[WinEventLog://Security]
disabled = 0
index = index1
followTail=true
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = (?ms)EventCode=(4624|4634|4625)\s+.*\.adm
renderXml=false
Hello, thanks for the clarification. Your solution is about to send all the events that match
(?ms)EventCode=(4624|4634|4625)\s+.*\.adm
in a specific index, but what about if I want to send the not matched events to another index?
You could leave the index=index1 field in the inputs.conf stanza. That way all non-matching events would go to index1, and all matching events would go to index 2
This can be accomplished with props and transforms. On your indexer machines, make the following files with stanzas: (whether through cluster bundle pushes or direct editing)
props.conf
# put this stanza in props.conf. Here your source field for the logs is assumed to be "WinEventLog://Security"
[source::WinEventLog://Security]
TRANSFORMS-anynamegoeshere=yourtransformname
# If you would like to apply the filter to a sourcetype, you can also do this:
[<yoursourcetype>]
TRANSFORMS-anynamegoeshere=yourtransformname
transforms.conf
# Put this in transforms.conf
[yourtransformname]
REGEX = (?ms)EventCode=(4624|4634|4625)\s+.*\.adm
FORMAT = index2
DEST_KEY = _MetaData:Index
It seems that the regex is not working, because the events are still arriving in index1, I tried different regexes but is the same
Can you troubleshoot that Splunk is applying the props and transforms to the logs?
E.g. what do your inputs.conf and props.conf stanzas look like for this log type, and on which Splunk machines are the inputs.conf and props.conf files placed