Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Exclusion Not Working In Transforms.Conf File

itsomana
Path Finder
‎11-10-2011 06:45 AM

I have four Windows 2008 R2 servers each running a Splunk Univerisal Forwarder. On the Splunk server in the transforms.Conf file which resides in C:\Program Files\Splunk\etc\system\local I have the following configuration:

[FilterSecurityEvents]
REGEX = (?m)EventCode=(5156)
DEST_KEY = queue
FORMAT = nullQueue

In the props.conf file which also resides in C:\Program Files\Splunk\etc\system\local I have the following entry:

[WinEventLog:Security]
TRANSFORMS-Filter_Events = FilterSecurityEvents

I am trying to stop EventCode 5156 being indexed, however this event code is still being index by Splunk. Does anyone have any idea as to why this is happening?

From browsing other splunkbase posts I have noticed that I am missing in the string ^ Should my entry be: REGEX = (?m)^EventCode=(5156)

Tags (1)
Reply

erstexas
Path Finder
‎06-18-2013 10:54 AM

Was anybody ever able to get this working?

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-11-2011 10:48 AM

You cannot filter events into the nullqueue on a Universal Forwarder. You will need to move the props.conf and transforms.conf onto the Indexer. Try this and the data should be sent to the nullqueue before it is indexed.

Reply

tgow
Splunk Employee
Splunk Employee
‎11-10-2011 10:04 AM

The Windows Event Codes can be tricky sometimes with the filtering.

I am wondering if the paratheses on the REGEX could be causing a problem and adding an anchor, ie:

[FilterSecurityEvents]
REGEX = (?m)^EventCode=5156
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply

itsomana
Path Finder
‎11-11-2011 05:33 AM

I have put in ^ into the Regex field REGEX = (?m)^EventCode=5156 then restarted splunk, however splunk was still logging Event Code 5156.

I then took the brackets from around (5156) then restarted splunk, however still no luck

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...