Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

remove events from Windows security

Esky73
Builder
‎06-03-2017 08:35 AM

Receiving windows security logs from UF's

I have a created an app on my HF and put transforms and props in the local folder as such:

[WinEventLog:Security]
TRANSFORMS-setNull8 = NukeThumbs.db

[NukeThumbs.db]
REGEX = (?s).*Thumbs.db(?s).*
DEST_KEY = queue
FORMAT = nullQueue

However i'm still seeing windows eventlogs coming through to my splunk instance like the following:

D:\SYSTEM\FFMC\Hireline\FFFG Fireline 2016\Pete Register\201705 May\Thumbs.db
Tags (1)
0 Karma
Reply

tlam_splunk
Splunk Employee
Splunk Employee
‎06-05-2017 08:53 PM

Is it possible that your window event log is in multilines ? You could try to use (?ms) instead of (?s).

0 Karma
Reply

woodcock
Esteemed Legend
‎06-03-2017 08:52 AM

Try this:

[NukeThumbs.db]
REGEX = \\Thumbs\.db(?:[\r\n]+|$)
DEST_KEY = queue
FORMAT = nullQueue

Deploy this to your INDEXERS and restart all Splunk instances there. When testing your change, only examine events that were indexed AFTER the restarts (you can use something like _index_earliest=-2m or similar); older events will stay broken (not deleted).

0 Karma
Reply

Esky73
Builder
‎06-03-2017 04:22 PM

so this wouldn't work at the HF level ? - i have no access to the splunk cloud indexers.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-03-2017 04:38 PM

Yes, it will work for HF; I should have written your parsing servers instead of Indexers.

0 Karma
Reply

Esky73
Builder
‎06-03-2017 05:41 PM

applied to the HF and restarted HF still events being seen.

Also added:

[Nukesvchost]
REGEX = \[Ss]vchost.exe(?:[\r\n]+|)
DEST_KEY = queue
FORMAT = nullQueue

which looks right (In regex101.com)

however also doesnt stop the events

props and transforms are located in :

C:\ProgramFiles\Splunk\etc\apps\Splunk_TA_EventNukes\local

0 Karma
Reply

Esky73
Builder
‎06-04-2017 06:24 PM

I have implemented the filtering in inputs.conf on the HF fir now - but still would like to know what could be the issue ..

Could it be something to do with the fact the HF's have a 0 byte license - they just forward he data to the cloud.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...