Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- windows event log filter
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
soimeng
Explorer
04-03-2013
08:08 AM
my transform.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX =(?msi)^EventCode=4663.^Account Name:\s(?!.Administrator.)
DEST_KEY = queue
FORMAT = indexQueue
basically, I just want to index evencode is 4663 and don't want the account name is administrator.
I tried, but it doesn't work, anyone can help .. thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
soimeng
Explorer
04-04-2013
07:11 AM
For people has the same requirement.
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing,nulladm
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX =(?msi)^EventCode=4663
DEST_KEY = queue
FORMAT = indexQueue
[nulladm]
REGEX =(?msi).Account\\sName:\\s+Administrator
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
soimeng
Explorer
04-04-2013
07:11 AM
For people has the same requirement.
props.conf
[WMI:WinEventLog:Security]
TRANSFORMS-set= setnull,setparsing,nulladm
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing]
REGEX =(?msi)^EventCode=4663
DEST_KEY = queue
FORMAT = indexQueue
[nulladm]
REGEX =(?msi).Account\\sName:\\s+Administrator
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
04-04-2013
12:27 AM
I think your regex looks a bit funny, Account_Name does not come directly after the EventCode in the messages, right?
Anyway, I'd probably to this in a three-step operation for the sake of clarity;
setnull for all (as you already do)
setparsing for EventCode=4663 (remove the Account_Name part of the regex)
nulladm create the regex for Account_Name : Administrator to send these to the nullQueue
just be observant of the whitespaces in the log for the last regex.
and in props.conf
TRANSFORMS-my_evtlog_filtering = setnull, setparsing, nulladm
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
soimeng
Explorer
04-04-2013
07:09 AM
Thanks, It works.
Get Updates on the Splunk Community!
Enhance Your Splunk App Development: New Tools & Support
UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
