When adding a new filter to props.conf and transforms.conf does it remove events that have already been indexed or only new incoming events?
We are attempting to filter out all "Windows Platform Filtering" events. Is there a regex to do this, or will we need to have a regex for each Event Code?
From a previous question I was given:
(?msi)^EventCode=5156D
If I search "EventCode=5156" there's plenty of results.
I am attempting to search via:
| regex _raw=(?msi)^EventCode=5156D
I am unable to find anything
Splunk's latest release, version 6, builds event ID filtering into the WinEventLog inputs. See inputs.conf documentation for more details.
It will never remove anything from the index. You have to use the cli clear command. Technically, even "| delete" doesnt remove it from the index (masks it).
To filter out multiple events, see this post:
http://answers.splunk.com/answers/59370/filtering-events-using-nullqueue
| regex _raw=(?msi)^EventCode=5156\D
I think it was missing a \ before the D.
You can also run this without the \D
| regex _raw=(?msi)^EventCode=5156
Well that does look easy.
If you are running Splunk6
Try adding
blacklist = 5156
to your inputs.conf stanza for the wmi:wineventlog:security source. And thank sowings.
[WinEventLog] inputs, whitelist / blacklist.
I just tested
| regex _raw=(?msi)^EventCode=5156
and it worked. You can also use
| regex EventCode=5156
I looked at the most recent inputs.conf information, but I did not see what sowings was refering to. I'm sure it is there, but will take some reading.
I'm still unable to find any results via search with either of those regex expressions
But I am able to see thousands of events when I search, "EventCode=5156"