Now it's ok!!!!!
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-wmi = wminull, wmiparsing
transforms.conf
[wminull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[wmiparsing]
REGEX = (?m)^EventCode=(4624)
DEST_KEY = queue
FORMAT = indexQueue
Now it's ok!!!!!
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-wmi = wminull, wmiparsing
transforms.conf
[wminull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[wmiparsing]
REGEX = (?m)^EventCode=(4624)
DEST_KEY = queue
FORMAT = indexQueue
GREAT! Happy to help
Good answer!
lantuin,
The following Splunk documentation should be able to assist you with this setup... http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Routeandfilterdatad#Filter_WMI_events.
The following splunk base question may also be of use, as it has a working solution... http://splunk-base.splunk.com/answers/29218/filtering-windows-event-logs.
I believe this should answer you question.
If this does answer you question, please mark this question as answered to help the community.
Regards,
Matt
... for example...
props.conf:
[WMI:WinEventLog:Security]
TRANSFORMS-security= events-null, events-filter
transforms.conf:
[events-null]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[events-filter]
REGEX = (?m)^EventCode=(4624)
DEST_KEY = queue
FORMAT = indexQueue
When you said... "I try to change Format to IndexQueue" ...
Is this how you used the index queue (i.e. IndexQueue, as stated above). I believe this should be indexQueue?
Apologies if you have done this, it is most probably case sensitive.
Yes Ayn, they're coming after I made these changes and "WMI:WinEventLog:Security" is the right sourcetype.
OK. And you can see for sure that this is not being applied to events coming in after you've made these changes? The events that are already in the index won't go away, but new ones should be filtered.
Is "WMI:WinEventLog:Security" the sourcetype you're looking to apply this filter to?
Yes, of course!
Did you restart Splunk after making these changes?
I try to change Format to IndexQueue
props.conf:
[WMI:WinEventLog:Security]
TRANSFORMS-wmi=wminull
transforms.conf:
[wminull]
REGEX=(?m)^EventCode=(4624)
DEST_KEY=queue
FORMAT=nullQueue
Can you include an example of you props.conf and transforms.conf.
I think possibly you are sending the events to a nullqueue (as shown in the Windows example of the link above, but not another queue, as shown i other examples.
Yes, I'm doing this but without result. Changes have not effect, I receive other eventcode than 4624
Have you restarted your Splunk services after making the changes to the props/transforms.conf files?
You should edit a file called transforms.conf via a shell/command line session. The file should be located in one of the following locations (you may need to create this if it does not exist.
$SPLUNK_HOME/etc/apps/
$SPLUNK_HOME/etc/apps/
$SPLUNK_HOME/etc/system/local/transforms.conf
I'm sorry, I'm not so expert 😞 I mean:
splunk > Manager > Fields > Transforms
What do you mean "by GUI"?
I've got some problems 😞 If I try to insert this directive by GUI, splunk says to me:
In handler 'transforms-extract': Invalid FORMAT: indexQueue (for events-filter)
In handler 'transforms-extract': Invalid FORMAT: nullQueue (for events-null and events-null3)
Yes, of course!