Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Exclusion Not Working In Transforms.Conf File

itsomana
Path Finder
‎11-10-2011 06:45 AM

I have four Windows 2008 R2 servers each running a Splunk Univerisal Forwarder. On the Splunk server in the transforms.Conf file which resides in C:\Program Files\Splunk\etc\system\local I have the following configuration:

[FilterSecurityEvents]
REGEX = (?m)EventCode=(5156)
DEST_KEY = queue
FORMAT = nullQueue

In the props.conf file which also resides in C:\Program Files\Splunk\etc\system\local I have the following entry:

[WinEventLog:Security]
TRANSFORMS-Filter_Events = FilterSecurityEvents

I am trying to stop EventCode 5156 being indexed, however this event code is still being index by Splunk. Does anyone have any idea as to why this is happening?

From browsing other splunkbase posts I have noticed that I am missing in the string ^ Should my entry be: REGEX = (?m)^EventCode=(5156)

Tags (1)
Reply

erstexas
Path Finder
‎06-18-2013 10:54 AM

Was anybody ever able to get this working?

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-11-2011 10:48 AM

You cannot filter events into the nullqueue on a Universal Forwarder. You will need to move the props.conf and transforms.conf onto the Indexer. Try this and the data should be sent to the nullqueue before it is indexed.

Reply

tgow
Splunk Employee
Splunk Employee
‎11-10-2011 10:04 AM

The Windows Event Codes can be tricky sometimes with the filtering.

I am wondering if the paratheses on the REGEX could be causing a problem and adding an anchor, ie:

[FilterSecurityEvents]
REGEX = (?m)^EventCode=5156
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply

itsomana
Path Finder
‎11-11-2011 05:33 AM

I have put in ^ into the Regex field REGEX = (?m)^EventCode=5156 then restarted splunk, however splunk was still logging Event Code 5156.

I then took the brackets from around (5156) then restarted splunk, however still no luck

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...