Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- filter WinEventLog:Security by Account Name
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
filter WinEventLog:Security by Account Name
I'm running Splunk 5.0 build 140868 on a Windows 2008 R2 server. I'm trying to Audit file and folder deletes on this server, but the appropriate way to do this is to log for everyone. My Splunk service account, splunkrdba, makes changes to it's logs constantly, so I want to send these events to the null queue, but I'm having issues with the Regex. Below see my most recent props.conf, transforms.conf, and a sample log that I'm trying to prevent.
Props.conf
[WinEventLog:Security]
TRANSFORMS-wmi= wminull
Transforms.conf
[wminull]
REGEX = (?msi)^Accoung_Name=splunkrdba
DEST_KEY = queue
FORMAT = nullqueue
02/08/2013 09:32:55 AM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4660
EventType=0
Type=Information
ComputerName= X
TaskCategory=File System
OpCode=Info
RecordNumber=3184693
Keywords=Audit Success
Message=An object was deleted.
Subject:
Security ID: RDBA\splunkrdba
Account Name: splunkrdba
Account Domain: RDBA
Logon ID: 0xb8bbf7
Object:
Object Server: Security
Handle ID: 0x64
Process Information:
Process ID: 0x1b00
Process Name: C:\Program Files\Splunk\bin\splunk-optimize.exe
Transaction ID: {00000000-0000-0000-0000-000000000000}
Collapse back to 10 lines
host=RDBALOG-002 Options|
sourcetype=WinEventLog:Security Options|
source=WinEventLog:Security Options
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've finally gotten this to work on my own.
A few things changed.
1) I upgraded to the newest version of Splunk
2) I changed the regex statement to be just regex = splunkrdba
3) I change transforms.conf to be FORMAT = nullQueue
I believe the 1st didn't really do much, but I wanted to mention it. I think the second one finally caught what I wanted without catching anything else, and I believe the capital Q is necessary. Hope this helps someone else.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just as an FYI, I noticed a typo in this. Transforms.conf now reads as below. This did not fix the issue however.
[wminull]
REGEX = (?msi)^Account_Name=splunkrdba
DEST_KEY = queue
FORMAT = nullqueue
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
