Splunk Search

Filter Input data from universalforwarder port_9514

mayler
Path Finder

First, thanks for taking the time to look at this. Hopefully I'll be able to provide all the information you need to help me out.

I have several extremely chatty windows servers (AD 2008) with a universal forwarder installed (4.3.1 build 119532). They're forwarding windows events to my Splunk Server(same version and build) over tcp 9514. So the Splunk Server is configured to receive on tcp_9514.

in /etc/system/local/props.conf
[default]
TRANSFORMS-wmi=wminull

in /etc/system/local/transforms.conf

[wminull]
REGEX=(?msi)^EventCode=(4768|4776|4769|4932|4933|5152|5158|4634|4672|5156|4662|4624|7036|5145|5140)
DEST_KEY=queue
FORMAT=nullQueue

The problem is I'm still indexing events mentioned in the regex. This configuration worked in our test environment. I'm not sure where to start troubleshooting this. I think it's all configured correctly.

metrics.log (one host)

INFO Metrics - group=tcpin_connections, 10.1.57.202:49328:9514, connectionType=cooked, sourcePort=49328, sourceHost=10.1.57.202, sourceIp=10.1.57.202, destPort=9514, _tcp_Bps=51043.12, _tcp_KBps=49.85, _tcp_avg_thruput=364.65, kb=1463.47, _tcp_Kprocessed=35517.31, _tcp_eps=36.85, build=119532, version=4.3.1, os=Windows, arch=x64, hostname=dccoslo2, guid=526275C8-DEC9-4F06-BD7B-30EFB3158043, fwdType=uf, ssl=false, lastIndexer=10.1.57.198:9514, ack=false

0 Karma

mayler
Path Finder

Unfortunately, there is no answer to the issue I experienced.

Removed my splunk install completely and re-installed the latest version as a fresh install. I only kept my transforms and props.conf files. Everything else is brand new.

And the filter is working. I suspect Ayn was on the right track. Something in my configuration was not right. Thanks for the help!

0 Karma

Ayn
Legend

Just one thought - did you make sure that your transform identifier (the "wmi" part in "TRANSFORMS-wmi") isn't duplicated anywhere? These identifiers need to be unique, so if they're not that will cause undefined behaviour.

mayler
Path Finder

I searched again, this time at /etc/* but still no joy. I really thought that might have been it this time! 🙂 So we all agree the syntax, etc. is good. And this did work in our test environment. But the test environment was brand new. I think I'll just backup my .conf files and install fresh. I'll update.

0 Karma

Ayn
Legend

Note that there are other paths than etc/system that props.conf can reside in. For instance all apps in etc/apps.

0 Karma

mayler
Path Finder

thank you for the suggestion. I grep -irn TRANSFORMS-wmi /opt/splunk/etc/system/*

only shows the one entry in /local/props.conf

0 Karma

mwhite_splunk
Splunk Employee
Splunk Employee

mayler
Path Finder

thank you for pointing that out. I tried using that earlier but no luck.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...