Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Drop XML event data via transforms.conf

mjemi
Loves-to-Learn Everything
‎12-04-2023 01:23 AM

I need to drop EventCode 4634 and 4624 with Login_type 3, how i can use nullqueue option and write the correct REGEX on transforms.conf .

Labels (1)
Labels
0 Karma
Reply

_JP
Contributor
‎12-04-2023 04:39 PM

Let's assume your sourcetype is called WindowsEventSourcetype, then you will want to add some lines to that sourcetype's definition in props.conf and transforms.conf:

 

props.conf

[WindowsEventSourcetype]
TRANSFORMS-t1=eliminate-4624-4634-3

transforms.conf

[eliminate-4624-4634-3]
REGEX=(?m)EventCode\s*=\s*(4624|4634).*?Type\s*=\s*3\s
DEST_KEY=queue
FORMAT=nullQueue

 A couple things to note:

  • These configurations need to be deployed to where your data is "cooked" by Splunk, not searched or the UF.  So this means these should be going to Heavy Forwarder(s) and Indexer(s) in your environment that would be ingesting this windows event log data.
  • I might be slightly off on the regular expression - I can't recall the exact format of the logs.  If you could post a couple samples I could tighten this up.  Right now the regex is doing something like, "Use multiline mode, look for EventCodes 4624 or 4634, then some more stuff, then Type 3" - I don't recall how the Login_type is labeled within these particular events from Windows.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...