First, thanks for taking the time to look at this. Hopefully I'll be able to provide all the information you need to help me out.
I have several extremely chatty windows servers (AD 2008) with a universal forwarder installed (4.3.1 build 119532). They're forwarding windows events to my Splunk Server(same version and build) over tcp 9514. So the Splunk Server is configured to receive on tcp_9514.
in /etc/system/local/props.conf
[default]
TRANSFORMS-wmi=wminull
in /etc/system/local/transforms.conf
[wminull]
REGEX=(?msi)^EventCode=(4768|4776|4769|4932|4933|5152|5158|4634|4672|5156|4662|4624|7036|5145|5140)
DEST_KEY=queue
FORMAT=nullQueue
The problem is I'm still indexing events mentioned in the regex. This configuration worked in our test environment. I'm not sure where to start troubleshooting this. I think it's all configured correctly.
metrics.log (one host)
INFO Metrics - group=tcpin_connections, 10.1.57.202:49328:9514, connectionType=cooked, sourcePort=49328, sourceHost=10.1.57.202, sourceIp=10.1.57.202, destPort=9514, _tcp_Bps=51043.12, _tcp_KBps=49.85, _tcp_avg_thruput=364.65, kb=1463.47, _tcp_Kprocessed=35517.31, _tcp_eps=36.85, build=119532, version=4.3.1, os=Windows, arch=x64, hostname=dccoslo2, guid=526275C8-DEC9-4F06-BD7B-30EFB3158043, fwdType=uf, ssl=false, lastIndexer=10.1.57.198:9514, ack=false
Unfortunately, there is no answer to the issue I experienced.
Removed my splunk install completely and re-installed the latest version as a fresh install. I only kept my transforms and props.conf files. Everything else is brand new.
And the filter is working. I suspect Ayn was on the right track. Something in my configuration was not right. Thanks for the help!
Just one thought - did you make sure that your transform identifier (the "wmi" part in "TRANSFORMS-wmi") isn't duplicated anywhere? These identifiers need to be unique, so if they're not that will cause undefined behaviour.
I searched again, this time at /etc/* but still no joy. I really thought that might have been it this time! 🙂 So we all agree the syntax, etc. is good. And this did work in our test environment. But the test environment was brand new. I think I'll just backup my .conf files and install fresh. I'll update.
Note that there are other paths than etc/system that props.conf can reside in. For instance all apps in etc/apps.
thank you for the suggestion. I grep -irn TRANSFORMS-wmi /opt/splunk/etc/system/*
only shows the one entry in /local/props.conf
A similar thing is talked about here:
http://splunk-base.splunk.com/answers/29218/filtering-windows-event-logs
thank you for pointing that out. I tried using that earlier but no luck.