Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtering events and Windows Platform Filtering events

ejdavis
Path Finder
‎10-09-2013 11:30 AM

When adding a new filter to props.conf and transforms.conf does it remove events that have already been indexed or only new incoming events?

We are attempting to filter out all "Windows Platform Filtering" events. Is there a regex to do this, or will we need to have a regex for each Event Code?

From a previous question I was given:

(?msi)^EventCode=5156D

If I search "EventCode=5156" there's plenty of results.

I am attempting to search via:

| regex _raw=(?msi)^EventCode=5156D

I am unable to find anything

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-09-2013 12:02 PM

Splunk's latest release, version 6, builds event ID filtering into the WinEventLog inputs. See inputs.conf documentation for more details.

0 Karma
Reply

gregbujak
Path Finder
‎10-09-2013 11:52 AM

It will never remove anything from the index. You have to use the cli clear command. Technically, even "| delete" doesnt remove it from the index (masks it).

To filter out multiple events, see this post:
http://answers.splunk.com/answers/59370/filtering-events-using-nullqueue

0 Karma
Reply

lukejadamec
Super Champion
‎10-09-2013 11:35 AM 
| regex _raw=(?msi)^EventCode=5156\D

I think it was missing a \ before the D.
You can also run this without the \D

| regex _raw=(?msi)^EventCode=5156
0 Karma
Reply

lukejadamec
Super Champion
‎10-09-2013 12:38 PM

Well that does look easy.
If you are running Splunk6
Try adding
blacklist = 5156
to your inputs.conf stanza for the wmi:wineventlog:security source. And thank sowings.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-09-2013 12:31 PM

[WinEventLog] inputs, whitelist / blacklist.

Reply

lukejadamec
Super Champion
‎10-09-2013 12:21 PM

I just tested
| regex _raw=(?msi)^EventCode=5156
and it worked. You can also use
| regex EventCode=5156
I looked at the most recent inputs.conf information, but I did not see what sowings was refering to. I'm sure it is there, but will take some reading.

0 Karma
Reply

ejdavis
Path Finder
‎10-09-2013 11:49 AM

I'm still unable to find any results via search with either of those regex expressions

But I am able to see thousands of events when I search, "EventCode=5156"

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...