Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- windows event log filter
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my transform.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX =(?msi)^EventCode=4663.^Account Name:\s(?!.Administrator.)
DEST_KEY = queue
FORMAT = indexQueue
basically, I just want to index evencode is 4663 and don't want the account name is administrator.
I tried, but it doesn't work, anyone can help .. thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For people has the same requirement.
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing,nulladm
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX =(?msi)^EventCode=4663
DEST_KEY = queue
FORMAT = indexQueue
[nulladm]
REGEX =(?msi).Account\\sName:\\s+Administrator
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For people has the same requirement.
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing,nulladm
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX =(?msi)^EventCode=4663
DEST_KEY = queue
FORMAT = indexQueue
[nulladm]
REGEX =(?msi).Account\\sName:\\s+Administrator
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think your regex looks a bit funny, Account_Name does not come directly after the EventCode in the messages, right?
Anyway, I'd probably to this in a three-step operation for the sake of clarity;
setnull for all (as you already do)
setparsing for EventCode=4663 (remove the Account_Name part of the regex)
nulladm create the regex for Account_Name : Administrator to send these to the nullQueue
just be observant of the whitespaces in the log for the last regex.
and in props.conf
TRANSFORMS-my_evtlog_filtering = setnull, setparsing, nulladm
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, It works.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
