Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Windows events filtering not working

marco_massari11
Communicator
‎03-21-2024 02:56 AM

Hello,

I'having some problem when filtering standard Windows events. My goal is to send the events coming from my UFs to two different indexes based on the users. If the user ends with ".adm" the index should be index1, otherwhise index2. Here is my regex for filtering https://regex101.com/r/PsEHIp/1 

I put it in inputs.conf

###### OS Logs ######
[WinEventLog://Security]
disabled = 0
index = index1
followTail=true
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist = (?ms)EventCode=(4624|4634|4625)\s+.*\.adm
renderXml=false
0 Karma
Reply

marco_massari11
Communicator
‎03-21-2024 05:04 AM

Hello, thanks for the clarification. Your solution is about to send all the events that match

(?ms)EventCode=(4624|4634|4625)\s+.*\.adm

in a specific index, but what about if I want to send the not matched events to another index? 

0 Karma
Reply

marnall
Motivator
‎03-21-2024 01:54 PM

You could leave the index=index1 field in the inputs.conf stanza. That way all non-matching events would go to index1, and all matching events would go to index 2

0 Karma
Reply

marnall
Motivator
‎03-21-2024 04:52 AM

This can be accomplished with props and transforms. On your indexer machines, make the following files with stanzas: (whether through cluster bundle pushes or direct editing)

props.conf

# put this stanza in props.conf. Here your source field for the logs is assumed to be "WinEventLog://Security"
[source::WinEventLog://Security]
TRANSFORMS-anynamegoeshere=yourtransformname

# If you would like to apply the filter to a sourcetype, you can also do this:
[<yoursourcetype>]
TRANSFORMS-anynamegoeshere=yourtransformname

 

transforms.conf

# Put this in transforms.conf
[yourtransformname]
REGEX = (?ms)EventCode=(4624|4634|4625)\s+.*\.adm
FORMAT = index2
DEST_KEY = _MetaData:Index
Reply

marco_massari11
Communicator
‎03-22-2024 09:44 AM

It seems that the regex is not working, because the events are still arriving in index1, I tried different regexes but is the same

0 Karma
Reply

marnall
Motivator
‎03-23-2024 09:31 AM

Can you troubleshoot that Splunk is applying the props and transforms to the logs? 

 

E.g. what do your inputs.conf and props.conf stanzas look like for this log type, and on which Splunk machines are the inputs.conf and props.conf files placed

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...