Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Exclusion Not Working In Transforms.Conf File

itsomana
Path Finder
‎11-10-2011 06:45 AM

I have four Windows 2008 R2 servers each running a Splunk Univerisal Forwarder. On the Splunk server in the transforms.Conf file which resides in C:\Program Files\Splunk\etc\system\local I have the following configuration:

[FilterSecurityEvents]
REGEX = (?m)EventCode=(5156)
DEST_KEY = queue
FORMAT = nullQueue

In the props.conf file which also resides in C:\Program Files\Splunk\etc\system\local I have the following entry:

[WinEventLog:Security]
TRANSFORMS-Filter_Events = FilterSecurityEvents

I am trying to stop EventCode 5156 being indexed, however this event code is still being index by Splunk. Does anyone have any idea as to why this is happening?

From browsing other splunkbase posts I have noticed that I am missing in the string ^ Should my entry be: REGEX = (?m)^EventCode=(5156)

Tags (1)
Reply

erstexas
Path Finder
‎06-18-2013 10:54 AM

Was anybody ever able to get this working?

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎11-11-2011 10:48 AM

You cannot filter events into the nullqueue on a Universal Forwarder. You will need to move the props.conf and transforms.conf onto the Indexer. Try this and the data should be sent to the nullqueue before it is indexed.

Reply

tgow
Splunk Employee
Splunk Employee
‎11-10-2011 10:04 AM

The Windows Event Codes can be tricky sometimes with the filtering.

I am wondering if the paratheses on the REGEX could be causing a problem and adding an anchor, ie:

[FilterSecurityEvents]
REGEX = (?m)^EventCode=5156
DEST_KEY = queue
FORMAT = nullQueue
0 Karma
Reply

itsomana
Path Finder
‎11-11-2011 05:33 AM

I have put in ^ into the Regex field REGEX = (?m)^EventCode=5156 then restarted splunk, however splunk was still logging Event Code 5156.

I then took the brackets from around (5156) then restarted splunk, however still no luck

0 Karma
Reply
Get Updates on the Splunk Community!

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...

New Year. New Skills. New Course Releases from Splunk Education

A new year often inspires reflection—and reinvention. Whether your goals include strengthening your security ...