- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- windows event log filter
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my transform.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX =(?msi)^EventCode=4663.^Account Name:\s(?!.Administrator.)
DEST_KEY = queue
FORMAT = indexQueue
basically, I just want to index evencode is 4663 and don't want the account name is administrator.
I tried, but it doesn't work, anyone can help .. thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For people has the same requirement.
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing,nulladm
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX =(?msi)^EventCode=4663
DEST_KEY = queue
FORMAT = indexQueue
[nulladm]
REGEX =(?msi).Account\\sName:\\s+Administrator
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For people has the same requirement.
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing,nulladm
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX =(?msi)^EventCode=4663
DEST_KEY = queue
FORMAT = indexQueue
[nulladm]
REGEX =(?msi).Account\\sName:\\s+Administrator
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think your regex looks a bit funny, Account_Name does not come directly after the EventCode in the messages, right?
Anyway, I'd probably to this in a three-step operation for the sake of clarity;
setnull for all (as you already do)
setparsing for EventCode=4663 (remove the Account_Name part of the regex)
nulladm create the regex for Account_Name : Administrator to send these to the nullQueue
just be observant of the whitespaces in the log for the last regex.
and in props.conf
TRANSFORMS-my_evtlog_filtering = setnull, setparsing, nulladm
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, It works.
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
