Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

splunk 4.1.x .conf files no longer working with splunk 4.2

DyJohnnY
Explorer
‎06-06-2011 09:08 AM

Hi,

I've been using for 1 year or so a configuration for my splunk forwarders as it is in this link:
http://www.megafileupload.com/en/file/315637/local-rar.html

I store everything in /etc/system/local/*
The files above are merged with files those that splunk creates when it installs itself.

lately (i think starting with some 4.1.x version of splunk, on windows 2008 R2 domain controllers i no longer get the results I want:

  1. I want splunk to filter out all success audit events from the security logs and only send over failed audits. This however is not working, i get the entire output of the security logs which in turn is making us go over our quota for indexed data.

Could anyone take a look at the configuration files and tell me what should be changed in order to get splunk to filter out failed audits?

The config files are also supposed to filter out some audit success events, that is also not working, but that is secondary concern, first I'd like him to just make this simple failed audit/sucess audit filter that has been working fine for over 1 year.

thanks,
ionut

Reply

DyJohnnY
Explorer
‎06-20-2011 02:04 AM

Anyone, any thoughts on this?

thanks,
ionut

0 Karma
Reply

DyJohnnY
Explorer
‎06-07-2011 12:46 AM

hi,

To clear up a few things:
NO WMI filtering is done, i'm using the inputs file to explicitly disable it.

I've updated the files we use:
http://www.megafileupload.com/en/file/315727/local2-rar.html

This is how we want to use splunk
http://imageshack.us/photo/my-images/848/splunklogicaldiagram.jpg/

  1. We want to send all failure audit to one Splunk indexer
  2. We want to send some failure success events from the security Log to another splunk indexer server.
  3. We want to drop all other success audit events.

thank,
ionut

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎06-06-2011 10:41 AM

So, I don't see your transforms.conf file in the rar you linked to, however, there were some bad things about trying to route data to nullQueue under Splunk 4.1.x and 4.2 that were specific to WMI, which is how it looks like this data is being pulled into Splunk. These defects have been fixed under 4.2.1, so you might want to try updating to see if that helps.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...